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TO  AUDIT  OFFICIALS.  CIOS,  AND  OTHERS  INTERESTED  IN 
FEDERAL  AND  OTHER  GOVERNMENTAL  INPOHMATION 
SYSTEM  CONTBOIJS  AUDITING  AND  REPORTING 

This  letter  transmits  tlie  revised  Government  Accoontabtlity  OtBce 
(_GAW  FedemI  Inloiinaticirt  tiysteia  Cimtmls  AvdU  MamuA 
(F1SCAM1.  The  FESCAM  iiresenLs  a  methodology  fotperfomiliig 
infomialloii  system  ( iSl  tontrol'  audits  of  federal  and  other 
fioveiTimental  entities  in  accordance  with  professional  atandardSr 
and  was  origuiallv  issued  ia  Janiiarv  IWMfl.  We  have  updated  the 
nSCAM  forsignincani  vhanm-  afftctiiig  IS  aiidiCi. 

This  revised  FISCAM  reflecls  consideration  o[  iiiiblic  ™ninipnls 
received  from  professional  accoiinUng  and  jimiiiiii!;  rji-jJiirLi/.iinoiis. 


government  entities,  audit  guidance  and  control  criletia  issued 
by  the  NationBlInEtitute  of  Slandarda  and  Technology  (NIST),  and 
(3)  generaHy  accepted  government  audidng  standards  (GAGAS), 


its  pceaenledinCmiemmentAiiditiiig Standards  (also  known  as 
the  "Yellow  BoolO.'  The  FISCAM  provides  a  methodology  for 
peiforming  mfomiation  system  (IS)  control  audits  in  accordance 
Yfith  GAGAS,  where  IS  controls  are  significant  to  the  audit 
Directives.  However,  at  the  discretion  of  the  auditor,  this  manual 
may  he  applied  on  other  than  GAGAS  audits.  As  defined  in  GAGAS, 
IS  controls  consist  of  those  Inlemal  controls  that  are  dependent  on 
information  systems  processing  and  include  general  controls  and 
^plication  controls.  This  manual  focuses  on  evaluating  the 
eSectiveness  of  such  general  and  Eg^lication  controls.  This  manual 
is  intended  for  both  (1)  auditors  to  as^st  than  in  understanding  the 
work  done  by  IS  controls  specialises,  and  (2)  IS  controls  spedalistfi 
Co  plan  find  peiform  the  IS  controls  audit  The  FISCAM  is  not 
inlended  to  be  used  as  abasis  for  audits  where  the  audit  olyectivES 
are  to  specifically  evaluate  broader  information  technology  (IT) 
controls  Ce.g.,  enteiprise  architecture  and  capital  plannhig)  beyond 
the  context  of  general  and  business  process  application  controls. 

The  FISCAM  fe  couHstent  wittithe  GAO/PCE  Mnoiieioi  AiMii( 
MamuU  ffAM).  Also,  the  FISCAM  eaWrol  activities  are  eon^lenl 
with  the  NIST  Special  PubUcation  (SP)  80063  and  other  MIST  and 
0MB  IS  control-related  policies  and  guidance  and  all  SF  SOOSS 
controls  have  been  mapped  to  FISCAM." 

The  FISCAM  is  organized  to  fadUtate  effective  and  efficient  IS 
control  audits.  Specifically,  the  methodology  in  the  FISCAM 
incorporates: 

•      Top-down,  risk  based  ^proach  that  consideis  materiality  and 
sigtuficance  in  determining  effective  and  efficient  audit 
procedures  and  ts  tailored  to  achieve  the  audit  objectives. 


EvaluallOa  of  entitywide  conlitiis  and  Uieu  effect  on  audit  ncdt. 
Evaluation  of  ^feneraJ  controb  and  meir  pervasive  mqract  go 

iA:iiLi:i[L()ii  <>i  ■.L'l  iinivmanaEpnientac  all  levels  (endtywlde. 

^111  nil  Mif  Mil. -^^moccssaEpucation  levels  I. 

.1  ■  iiiiiinL  ;iii  r,i'i  iLi  u  oniroi  oaieEones,  cntical elements,  and 
I.  II  LI  ml  ;i.  11 II II-.  I  iiirriiiM  in  evaluating  the  stenlflcaitce  of 


I  illlUMIT'HUOnCIIIU  <:4lltllC]IHJ  UNCI  ^  .lUMM.CI1 1  I  [MIHIIII'HS  [F]1]<11'K>« 

aufiucation  level  contiois  i  contaui  several  mniroi  c^gones.  whicli 
sae  gtot^ilngs  of  related  contiob  pertalnltw  to  suiulat  tj>pe9  of  lisk. 
For  each  control  categmy.  the  manual  identifies  critical  elements — 
tasks  that  are  essential  for  establislnng  adequate  controls  inthmttie 
categoiY.  For  each  ciitkal  element,  there  is  a  discusSon  of  ttie 
associated  control  actmlies  Hiat  are  generally  necessary  lo  achieve 
the  critical  element,  as  weu  as  related  potential  control  techrmiues 
and  suffiested  audit  procedures.  lUs  hierarchical  structure 
ibcahtates  the  audiior's  audit  planning  and  me  audiiors  analysiE  of 
alenbOed  control  weaknesses. 


critical  elements,  thei  are  ge 


are  sufficient  to  auhieve  the  control  autivity,  considering  IS  risk  and 
the  audit  objectives,  the  auditor  may  be  abie  to  determine  whether 
control  techniques  are  sufficieni  to  achieve  a  partKutar  crnilroi 
actlvlly  without  evaluatli^  and  testing  all  of  tjie  control  t«cluiii]ues. 


Also,  ilq>etiding  on  IS  nsk  and  the  audit  otyectiveE,  the  nature  and 
extent  of  control  tecluuijues  necessary  to  achieve  a  paiticnlar 
coDtrol  ohjBctive  mil  vary. 

Ifcontroltedmlgues  ate  sufficient  as  designed,  the  auditor  should 
d^ermme  whether  the  control  techniques  are  unplemented  tplaced 
ki  tipemliOD)  and  are  <9era1ii^  effechvelv.  Also,  the  auditor  should 
evaluate  Ote  nature  and  extent  of  testms  perfonned  by  the  entity. 
Such  litfOnnatlcin  can  assist  in  ideniifving  kev  controls  and  In 
assessing  rek,  but  the  auditor  should  not  rclv  on  testing  perfoimed 
byttieenOtyinlienof^propnateauditortestuia.  11  the  control 
techniques  Irtplemented  bv  tlip  eniJtv,  as  riesisneil.  are  not  sufficient 
10  address  (he  control  activity,  or  the  control  techniques  are  not 
effectively  implemented  as  designed,  the  auditor  should  determme 
the  effect  on  IS  controls  and  the  audit  objectives. 

Throughout  the  updated  FISCAM.  revisions  were  made  to  reflect 


riiuJ  it  iiimeressarv  iii  routihelv  refer  lo  such  narrative  m  performli^ 

have  sufBclent  knowledge,  skills,  and  abilities  to  diiectly  use  the 
contiol  tallies  in  Chigiters  2  and  3  {irblcb  ate  suntntailxed  In 
^ipendices  II  and  nij. 


Future  updates  to  the  FI&CAM,  including  any  implenientaEion  tools 
and  related  maletids,  will  be  pasted  lo  the  FTSCAM  website  at 
http://www.gao,gov'^eci3l.pub^SscHm.h1iid. 


The  revised  FISCAM  is  available  only  m  electronic  fomi  at 
lHtp://v™iw.gao,goWproduclsA!A(W18-S32G  on  GAO's  Web  p3&!. 
This  veision  supersedes  previously  issued  versions  of  the  EISCAM 
through  January  2D01.  Should  you  need  additional  intbrmation, 
please  conlatt  us  at  FlSC;AM@gao.gov  ot  call  Boheit  Daeey  at 
002)  512-7439  or  Greg  WilshuBcu  at  <20Zj  5ia«244.  BAOstatf  who 
made  key  contributions  to  the  FISCAM  are  listed  on  page  15, 


Gregoij  C.  Wilshusen 


Attachment  and  enclosures 


chiding  planning,  tcsling,  :md  reporting  [jhy^c?  fsct  a  sumniaiy 
14 11X14 rwn.  iisK  iiJL^CN I  4>v:mi  1:111011  III, ir  1  nhsiiK'is  iiiiiu'iiaiiiv 
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procedutes  1  the  auaitor  deiemilnes  which  js  coniioj 
i«chmqi]e3  are  rekvaium  the  audit  ohjecttres  and  whicn  are 
neceaaary  10  achieve  the  control  aclmtieis  generally,  all 
control  BCtmlies  are  reietHDi  imleas  Ihe  related  control 
categoiv  Is  noi  relevant,  the  audit  scope  is  limited,  or  the 
auditor  determines  that,  due  to  signiGcancIS  contrd 
weaknesses,  It  IB  noL  necesaaiy  to  teat  an  relevam  IS 
contnjlsi. 

An  evaluation  ot  enti^wide  la  controls  and  their  effect  on 
audit  risk,  and  theretore  ai  the  extent  of  audit  testing 
{effective  entitywide  IS  controls  can  reduce  Biidii  risk,  ^ule 
inettecltve  entltynlde  IS  controls  result  in  Increased  audit 
risk  and  generally  are  a  contnbutorv  cause  of  i»  control 
wiiJLKriiisHi^  III  im;  svhiiiiii  luiii  imisiiiitis  nriic^i'ss  luioiii'juiiifi 


All  evaiiiaiioii  01  secunlj  management  at  all  levels  or  control 


ff  ct       achi  n  ff  unl 

tactors  Eufiiciaitly  reduce  the  rsk  1. 


•  (hoiqiinga  of  control  categories  cOnslstenl  with  the  nabue 
of  theri^ 


ach  auiiil  phase 

>  AddinonalBuditconsiderationathatiiiayafCectanlSaudit, 
including: 

■   mliDnnaLicii  secunly  nskfoctois 

•  automated  audU  tools 

•  sampling  techniques 

Chapter  a 

>  ReoieanizedgeneralcoiitrolcategorieSiCon^stentvithGAGAS: 

•  Secoritynian^ement-broadHied  to  consider  stalntory 

le'iuliements  and  best  practices 

•  Acces  controls -rEstnictnredtoincoTporate  system 
softv^,  eliminate  ledundandes,  and  ladlltate  IS  audMi^  in 
a  netnorlied  environment 

0  System  boundaries 

0  IdenriGcalnik  and  aulhenticBtion 

0  User  authorization 

0  Senmtive  system  resources 

0  Andil  and  monitoring 

0  Physiod  security 

•  CorEGgnration  management  -  broadened  to  include  networic 
conqionenls  and  ^4iliciUions 

•  S^regation  of  Duties -relatively  unchanged 

•  Contingency  naimine-iqtdatedfbritewlerminoloey 


>  Updated  general  contol  aclivilies  flal  (1)  are  con^stent  wifli 
cuii«iit  HI^  and  (BIB  infomialiDnsecuii^  gnidance  (mctuding 
bU  MOT  SP  B(XI-53  controls)  Induding  references^ii^piiig  of 
each  ciilical  element  to  sudi  guidance,  and  (2)  consider  new  IS 
ilsks  and  audit  expeiience 


Ch^iter4 


*  Audit  metliodologf  and  IS  controls  for  iHEiiwss  process 
^iplications  that  (1)  are  consislent  with  GAGAS  and  current 
NIST  and  0MB  infOnnation  seemly  guidance  Qncluding  all  Nl 
Special  Publication  800-53  controls)  including 
referencetAn^^iingto  such  guidance,  and  (2)  con^dernewIS 


ty  (formerly  g, 


related  to  the  validityj 


■j{  nsCAM  to  Single  Audits 

jrnsCAMtoFlSMA 

System  Controls  Audit  Doeomenlalion 


Updated  Glossary 


INFOHMATION  SYSTEM  COWTROm  OB-IECTIVES 


SENERAT,  CONTBOT.S 


•  securilj  management  program 

•  periodic  BssessmenlB  and  validalion  of  risk, 

•  secuilCy  control  policies  and  procedures, 

•  security  anar«ness  training  and  other  securi^-related  personnel 

•  pedodlclestliigandevaluatlonoftheellecttvenessof 
informatimsecurilir  policies,  procedures,  and  practices, 

>  remedlBtion  of  inftHmationsecuri^  weaknesses,  and 

•  security  tweracltoitlespeiftjrinedlweiaeriialflilnj  parties. 


protection  of  sensitive  system  resources, 

audit  and  mMuloring  c^bility,  including  incident  handling,  and 

phjsicai  security  controls. 


controls  provide  resBonabje  assurance  that  changes  lo  mfomtation 
^iBtem  resources  are  authorized  and  systems  are  configured  and 
operated  secureiv  and  as  intenaea,  uioiudmg  effective 

•  conjuration  nianageraent  poUcies,  plans,  and  procedures, 

•  ciirreni.  craiLiguiarjon  mentmcation  nuotmauon. 

•  DroDLT  autiioniatiuii.  testing,  approval,  and  tracking  ot  all 


n  a  tunelf  basis  to  protect  against  knonn 
approval  oi  eme^encv  chaises  to  ine 


Senreealion  di  Duties 


'  seetegation  ot  uicompaubie  duaes  and  le^KHtslblMes  and 

ivinii'ii  i»iiii-i>^K.  anil 
.   control  or  personnel  actmaeB  Ihroi^  romiai  operating 

procedores.  sigierviaion,  and  review. 


Controls  provide  reasonable  assurance  that  contingency  planning 
( t )  protects  intomiation  lesources  ana  imnunizes  ttie  nsh  ot 
mq^lanned  uiterrnptions  ana  (2 1  provides  tor  recovery  ot  critical 
operaoons  snouid  inierruntions  occur,  inciudn^  enective 


:ontingencvpian.  and 

Dime  contmgenQF  plan,  with  iq^iropriaie 

ae  plan  based  on  the  testing. 


miBIHESS  PEOOBSS  APPUOATION  OONTEOLS 


Complelaiesa  -  controls  provide  reasonable  assurance  lhat  all 
transactions  that  occuned  are  li^nit  Into  the  system,  accepted  for 
processing,  processed  once  and  only  <m(X  by  ttie  ^/atem,  and 

Arniiarv  -  controls  provide  reasonable  assurance  Ifaal  transactions 
ore  properly  recorded,  with  correct  amount/data,  and  on  a  timely 
liaras  (Id  (he  premier  period^  key  data  elanents  input  for 
transactions  are  acciuak^  data  elments  are  pnx^ssed  accutately 
applications  tbat  produce  reliable  result^  and  nu^ml  is  accurate, 

VaBdMy  -  controls  provide  reasonable  assurance  (1)  fliat  all 
recorded  transactions  and  actually  Dccun«d  (are  leaS),  relate  to  the 
oisanization,  arc  authentic,  and  were  properly  approved  in 
accordance  with  management'B  anlhorizBJlon;  and     that  ou^ut 
contans  only  valid  data. 

tiOnfill'mllBlift  -  ctRitrols  provide  reasonable  assurance  tbat 
qipUcatiDfl  data  and  reports  and  other  output  are  protected  against 
onauthor^ed  access. 

*"l''H'^'1y  -  ctaitiols  provide  reastaiable  assarance  that  ^pHcation 
d^  and  reports  and  other  relevant  business  information  are  readily 
available  to  users  when  needed,* 


iH  Aimrr  methodoliwy  steips 


Flan  tbe  IntOnutioa  System  Cdntrola  Audit 

>  UndeislandtheOveraUAuditOtiiectivesandlielatedScopecif 
the  Infomiafion  S^stan  Controls  Audit 

>  UnderatandtheEntS^sOperaUonsaniiKeyBuslncEsProcesses. 

>  Obtain  a  General  Uniieisbindli«<rf  the  Stnictuie  of  tbe  EnWs 
Networks 

>  Identify  Key  Areas  of  Audit  titerest 

>  As9es9  Infonnation  Sjistem  Risk  on  a  Preliminary  Basis 

>  Identify  Critical  Cmtrol  Points 

>  Obtain  a  PieliniinaiylAiderstanding  of  bifortnalion  System 
GontrolB 

>  PerfoimOttterAuditPlannli^Procedmts 

o  Relevant  Laws  and  Regulations 

□  Conraderationof  tlteiiiskof  i^and 

o  Previous  Audits  and  AtlestatiraiEngBgaiientB 

o  Audit  fiesouices 

o  MuItfyearTesOi^  Plans 

o  Communication  with  Entity  Management  and  Those 

Charged  with  Governance 
o  Service  Organizations 
o  U^the  Wortof  Odiers 
o  AnditPlan 

Perfonx  Intonoatton  Syetem  Coatrob  Audit  Tests 

>  Understand  Information  Syst^ns  Relevant  to  ttie  Audit 
ObjectJies 

>  Detemnlne  nlilch  IS  Control  Technlciues  aie  Relevant  to  the 
Andit  Objectives 

>  For  each  Relevant  IS  Contiol  Technique  Detennlne  Whether  It  Is 
Suitably  Designed  to  Achieve  the  Critical  Activity  and  has  been 
Inqilemented 


PlcK*H,JohnA.^)ence,BndCharlraM.VrflbeL 
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Chapter  1.  Introduction 


!.0  Chapter  1  Overview 

llilK  manual  provides  a  methodology  for  peifomdtig  inlomiatJoii 
system  OS)  control  audits  in  accordance  with  "geneiaUy  accepted 
gDvemment  auditing  standards'  (GAGAS),  as  presented  m 
GoirnnmenlAvdilinff  Standanls  (also  known  as  the  'Yellow 
Book*).'  However,  at  the  discretion  of  the  auditor,  this  manual  mas' 
be  applied  on  otlier  than  GAGAS  audits.  As  deSned  m  GAGAS,  IS 
controls  consist  of  those  Internal  controls  tiiat  are  dependent  on 
information  systems  processing  and  include  geni^ral  controls  and 
aiqilication  controls.  This  manual  focuses  on  such  general  and 

As  computer  technology  has  advanced,  federal  agencies  and  other 
government  entities  have  become  dependent  on  computerized 
information  systems  to  carry  out  their  operations  and  to  process, 
maintain,  and  report  essential  informatton.  Virtually  all  federal 
operations  are  supported  by  automated  systems  and  electronic  data, 
and  agendes  wnuld  End  it  diSicult,  if  not  impossible,  to  carry  out 
their  missions  and  account  for  their  resources  without  these 
information  assets.  Hence,  ineffective  IS  controls  can  restdt  in 
slgniiicant  risk  to  a  broad  array  of  government  operations  and 
assets.  For  exatrq^le, 

•  resources,  such  as  payments  and  collections,  could  be  lost  or 

•  computer  resources  could  be  used  for  unauthorized  purposes, 
including  die  launching  of  attacks  on  others; 

«  sensitive  information,  such  as  taxpayer  data,  Social  Security 
reconJs,  medical  records,  other  peisoiially  IdentlBable 
biformation,  and  piDptletaiy  business  bilomiatloii,  could  be 
inappropiiately  added,  deleted,  read,  copied,  disclosed,  or 


modified  for  purposes  suth  as  espionage,  idenlily  theft,  or  other 
types  of  orime; 

•  critical  operations,  such  as  those  suppoitlng  national  defense  and 
emergency  services,  could  be  disrupted; 

•  data  could  be  modified  or  destroyed  torpmposea  of  fraud  or 
disruptloiu  and 

«  entity  missions  could  be  undermmed  by  embarrassing  incidents 
that  lesult  In  dlmkl^ed  confidence  in  an  entity's  ability  to 
amdud  operalims  and  fulGIl  its  req>oiisibdities. 

Hie  nature  of  IS  risks  conbrniee  to  evolve,  f^ntectmg  govemment 
computer  ^istems  has  never  been  more  lirgxntant  because  of  the 
conplexi^and  mlerconnecbvityof  ^stems  (including  Internet  and 
mreless].  the  ease  of  obtaining  and  usmg  hackuig  tools,  the  steady 
advances  In  the  sophistltation  and  eHecttveness  of  attack 
technology,  and  the  emergence  of  new  and  more  destructive 


mainttames.  Data  coramunicatjoiis  Imks  and  network  devices  auch 
as  routers,  hubs,  and  switches  en^le  the  hosts  to  communicate 
with  one  another  through  local  area  netvrarks  (LANs)  within 
entities.  Wide  area  networks  (WANs)  connect  LANs  at  different 
geogr^Aucal  locations.  Moreover,  entities  are  ^icaDy  connected  to 
t^  Internet 


1.1  Purpose  and  Anticipated  Users  of  the  Manual 


ThismaniialdescnbesCllaiiaiKlit  iiicilujilni  ,i-,|ihj,iiis  iIip 

effectiveness  of  IS  controls,  ami  i  '1  rli,.  1^  -i,.!-  ih.u  imililois 

evahiare  when  assessing  tin'  ( i  ■],  nl.  ■  1 1;  I   v  :iinl 

arailabilityofmfomiaQon  aru)  ii'l  i  n  ,ii  ■  ii m-  )  In' teilptal 

be  used  primarily  on  financial  and  pt  rliimiaEK  t'  aiidcli  and 
attestation  ei^agementa  performed  bi  accordance  with  "generally 
accepted  government  auditing  standards"  (GAGAS),  as  presented  in 
Government  AudiVcng.'ilandiirds  (also  known  as  the  "iellow 
Book").  However,  at  the  discretion  ot  the  auditor,  this  manual  may 
be  appLed  on  other  than  GAGAS  audits.  This  manual  is  intended  for 
both  (.1)  auditors  pedOinune  linancifd  and  perfoimance  audits  and 
atteslation  engaganails  to        flwmln  understanding  the  worii 
done  by  IS  controls  ^eciahsts,  and  &)  IS  controls  specialBts  to 
plan  and  peifoimlhe  IS  controls  audit  Federal  and  oQiei 
govemntent  anditois  may  use  this  manuaL  It  is  notanauditmg 
standard  and  it  would  be  incorrect  to  refer  to  it  as  a  standard.  Its 
purposes  are  to 

id  efficient  IS 


the  audit  oljiectives.  IS  controls  generally  are  relevant  to  a  financial 
audit,  39  finandal  inltinnation  is  usually  processed  by  infbrmiiflon 
systems.  For  financial  audtts,  the  GAO/PGIE  Flnan^dal  Audit  Mjmnal 


CFAM)'  provides  a  framework  for  erahiating  IS  controls  as  part  of  a 
rinanclaJ  audit  The  scope  of  an  Infonnaflon  syslem  eontraJs  audil  in 
support  of  a  financial  audit  is  sumrnarized  in  Appendix  VI.  For 
perfoimance  audits,  GAGAS  T,2T  states  Uiat  auditois  should 
determine  which  audtl  proeeduies  related  to  inlomiallon  system 
controls  are  needed  to  obtain  sufQcient,  appropriate  evidence  to 
support  Hie  audit  findings  and  conclusions.'  This  GAGAS  paragraph 
pnnirtea  factors  lhai  may  assist  auditors  in  making  this 
determinatjoiL 

This  manual  lists  specific  control  activities  and  techniques  and 
related  suggested  audit  procedures.  These  are  descrihed  at  a  high 
level  and  assume  some  level  of  espettise  for  an  auditor  to  peifoim 
these  audit  procedures  effectively.  Accordingly,  the  auditor, 
^}plying  judgment,  should  develop  more  delmled  audit  steps  and 
tailor  control  activities  based  on  the  specific  aottwaie  and  control 
ieduiiques  employed     the  enti^,  the  audit  oluectives,  and 
E^nificant  areas  of  audit  Interest,  Further,  the  auditor  is  responsible 
tot  idenlilying  any  necessaiy  changes  to  IS  conOol-ielated  criteria, 
including  changes  to  control  activities  and  techniques,  based  on 
publications  Issued  after  December  2008.  Ritme  updates  to  the 
FISCAM,  including  any  implementation  tools  and  related  materials, 
niS  be  posted  to  the  FISCAM  website  at 


In  addition,  the  FKCAM  incJudes  nanalive  Itiat  is  designed  lo 
provide  a  basic  understandine  oi  ihe  meuiouoiogy  i  Oh^ter  2), 
general  controls  [  l  naoiei  j  i  and  business  process  application 
controls  (ChaoKT  1 1  :iM(ii(  -.-i  ii  m  iiu>  nsi,AM,  Thenanaljvemay 

i^KHiifiiisL  ivioh' ."  I'l'  I  .!>..  I  iiri     rciniivM  Hru^naiisifs  iii;iv 

flndii uimete'^'^iif ^  -  inn  i n '.iit.'h nEirrjiive in peribrming 


than  simply  took  at  trie  sii 


AUhough  IS  controls  audit  work,  especii 
generallvpeitomied  bv  an  lo  controls  si 
performance  auditors  wmn  sppropnaie  i 


controls  specialist  or  [  i  a  financial  or  peifomiance  auditor  working 

Kjectaltac.  The  F1Si_jV\i  mav  be  usea  iivotnerglaff  thai  possess 
auequate  iT  cormeience.  GAGAS  requires  that  staff  assigned  to 
coflduct  an  audit  must  collectjvel;  possess  the  technical  knowledge, 
skUb,  and  expetlence  necessaiy  to  be  competent  for  ttte  Qi>e  of 
work  being  perfemned.  See  Appendte  Vfor  additional  tiformation 
on  the  knowledge,  skills,  and  abilities  needed  to  perlbim 
infomatkm  system  control  audits. 


Hie  fOllowu^  teme  ate  used  m  the  F15CAM  to  deaoibe  the  deeiee 
of  ra^onsibihly  tticv  impose  on  anditois  and  audit  oiganizalions: 


circunislfuic«s  exist  lo  irtuch  tlie  uncondilional  i«i>ni«mert 
^tles.  Ihe  Umi  "must' is  used  only  in  FISCAM  when 
related  re^nrement  is  apeofied  as  a  musi  lu  ijaij-I^. 

•   Bhonld-Amtlorsandaudit  orjianizaiiiirLs  ,^ri  .iisn  ],  i 
comply  with  this  presumpuveivniaiKiMi  HI  I'luim  h  i  m  i^i 
cases  m  which  Ihecircunislanccs™^!  m  v.  im  n  iiir 


iiemenl.  The  lerm  ■shouW  Is  used  when  a )  the  related 
lUis  ^wuSed  as  a  "-should"  in  UAGAS,  or  (2) 
performance  is  deemed  necessaiy  to  meel  GAGAS  evidence 
raiuliements  for  an  IS  controls  auatt 


poUcy  is  strongly  enoii 
Biay  -  Comphance  wiu 


ai  meaning  of  the  lerms  is  intended.  If  the 
with  a'^ust^  or'^onld  .  the  auditor  should 
■  noncompBance  on  the  effecttmiess  of 


1.2  Nature  of  Information  ovsrem  Controls 


An  evatianon  oi  IS  COTtrots  generally  mcluaes  noin  genet 
buan^  process  ^nucation  controls  (abo  callea  ^ucai 
cootralsi.  Hie  enta^must  bam  efCectire  general  ana  misn 
urucisu  UTiiiiK'^iKin  cui>irrii!i  u}  lu^nimi  inu  iiunnjiiriiiuj 
I'oriiiMiThMrMiiv.  Miir'LEiiiv.       ;ivaii;uMiiiv     ciincjip  Liiiiriiii. 


lieneral  controls  are  ine  iioucies  and  nrocedures  that  appiv  to  aH  oi 
a  latge  s^meni  oi  an  ennw  s  inloimatlon  systems  and  ne^i  ensure 
i.iHFirEjnuHTOiHFru.EOEi.  I'iXFiiMoii?;  OI  nniMiirv  omkec^uvhs  KirMenenii 
controls  ate  m  saieguara  oaia.  oroieci  ousmess  process  sp 


^  application  levels.  Ihe 


Wittioat  effective  general  contmls,  business  process  applkahon 
conOols  can  general]}'  be  rendered  Inelfecbve  hy  dKmiwntion  or 
modificatuxi.  For  staiapie.  automated  ediis  d^sri^ed  lo  preciuae 
a3eis&omentei^iinieason!iblyla]ged(iii:^r  nnuuiiii'^  ni  :i  i>;Lvmi>ni 
prtxiessirigsystemcanbe  an  effective  SDmici, 1 11)11 1  hhimj  ilohi  iit 

Has  cootrol  IS  not  effective  (camot  be  relk'il  :  ilii  m  .  lal 

controlspeimitunauihonied  program  niwiiiK  ii  ..    him  n  i^.  i 


ISl 


paragt^th  T.23  defines  ^^pllcatkm  controls,  or  bu^ness  controls,  as 
those  controls  that  he^  ensuie  the  vaUdlQ',  coit^deteness,  accurate, 
and  coofidenliBlityaftransaGtioiis  and  daJa  during  application 
processiiig.  Chapter  4  diECusses  the  bu^ness  process  ^plication 
level  controls  in  an  IS  controls  audit  and  provides  more  detail  tat  the 
cdtical  elements  of  each  type  of  liuBinesa  process  ^plication 
cODtroli 

Itie  overall  ftamework  of  IS  control  oblecth^  presented  In  the 
FISCAM  can  be  viewed  in  different  miys.  One  nay  lo  summarize  the 
objectives  is  presented  below. 


lnCh'ip1«r4. 


GENERAL  CONTBOLS 


Security  Management 

Controls  provide  reasonable  assurance  that  securilp  management  Is 
effective,  mdudii^  effective: 


inTormaOon  security  policies,  procedures,  and  practices, 
*    remediation  of  infoimationaecuri^  weaknesses,  and 


•    security  over  actjvifles  perfonaed  by  eHenial  third  parties. 


Controls  provide  reasonable  aaaurance  that  access  to  computer 
lesources  (data,  equipment,  and  &cUiUes]  is  reasonable  and 
restricted  to  auflnrized  individuals,  including  effective: 


1 1 1  >riiig  capability,  including  incident  handling, 


Controls  provide  reasonable  assurance  that  charges  to  infomiation 
^'Etem  resources  are  authorized  and  E^st^ns  are  conjured  and 
operated  securely  and  as  intended,  Includii^  effective: 


,  plans,  and  procedures. 


•  proper  authorization,  tpsting,  approval,  and  tracking  of  iill 

•  roaline  moiiitoring  of  the  configuration, 

•  iQtdatlnE  soltware  on  a  limely  basis  to  protect  ag^nst  known 
vulnerabilities,  arul 

•  documentation  and  approtal  of  emergen^' changes  to  Ihe 


anjrepilionnfniitit-B 


•  segregation  ct  Incompatible  duties  snA  re^onslbUlCles  and 
related  policies,  and 

*  control  of  personnel  activities  throngh  formal  operating 
procedures,  supervision,  and  review. 


Controls  provldf 
(1) protects)  ' 

ui^laimed  interruptions  and  l^L)  provides  for  recoveiy  of  critical 
operations  should  interruptions  occur,  including  effective: 

•  asseesmentofthecriticalilyandseiisilivilyofcoiiQiuterized 
operations  and  identification  of  siQipoiling  resources, 

*  steps  taken  to  prevent  and  minimize  potential  damage  and 


^   con4>rehensive  contingent^  plaa,  and 

•   periodic  testing  of  the  contingency  plan,  with  appropriate 


OansacUons  that  occuned  art  input  into  the  system,  accepted  for 
processing,  processed  once  and  only  once  by  the  ^pstem,  and 
pnjieriy  included  in  output 


AcRiiraCT  -  controls  provide  reasonabi 
are  pioperiy  iec(»dei],  mlh  Cone 
basts  cm ine  proper pencxl^  Kev  i 
tranaaclians  are  acciirale;  daia  ei 
bv  appUcaClons  ttiai  produce  reiif 


OUiatall 
sal),  relate  to  the 
le  properly  apitroved  In 


1.3  Determining  the  Nature  and  Extent  of  Ami  u  1' 


;  b  coittrola  ^tecialM,  and  the  financial, 
in  auditor  generally  sboald  work 


part  of  a  comprehensive  effort  to  evaluaie  both  the  controls  over 
and  reMbihty  of  financial  reportmg.  In  peifbnnance  Budils  and 
attestation  engagments.  the  nature  and  extent  of  IS  controls  audit 
procedures  vary  depeiiouiK  on  the  obiechves  of  the  audit. 


1.4  Organization  of  This  Maniinl 


•  Ch^ter  2  describes  the  methodology  for  peifomiing  the  IS 
controls  audit, 

•  Gh^ter  3  provider  information  concerning  die  five  geneiBl 
control  cat^ories,  sigiporting  critical  elements,  critiial  activities, 
potential  control  technkiuES,  and  suggested  audit  procedures. 

•  Ch^iteriprovidesinfOmiationconceiTiingthefourbu^ness 
process  s^pSrs&aa  contiol  level  otegorles,  supporting  critical 
elements,  critical  activities,  potential  control  techniijues,  and 
suggested  audit  procedures. 


deTOloping  information  secuiitei  programs.  This  includes,  for  non- 
nationaJ  seeiuitj  systems,  Federal  Inlomatlon  Pioces^ng 
Stendards  Publication  (FTPS  Puh)  19B  Standards  for  Securi^ 
Calegorizulion  of  Federal  Informaiion  and  Ir^ormalion  Sysbms, 
PIPS  Pub  201),  Minimum  Secmity  Hequiremenlsfor  Fedemt 
IvformaHon  and  Ittfortuatirm  SystEms,  and  NIST  ^ledal 
Publication  (SPJ  800-53.  Recommend^  Seeariw  Controls  fiir 
Fe^errd  Information  Systems  and  other  NIST  guidance".  Tlie  Office 
of  Management  and  Budget  (OMB;)  requires  federal  entities  to  ^ply 
Nlfrr  guidance  to  non-nationa]  security  syatems.  Also,  other  sources, 
auch  Bsvertdori^ommendedlSprectjcesand  other  generally 
accepted  IS  resources,  may  provide  criteria,"  In  addition,  NIST  is 
K^usible  tor  developit^  minimum  secuil^  slandai^  find 
guidelines  that  are  mnq>lementary  with  standards  and  guidelines 
errq>loyed  far  the  protection  of  national  security  systems  and 
infoimation  contained  in  such  systems.  The  auditor  is  i^ousible 
foridenti^ingrelewtt  IS  control-related  criteria  issued  after 
DecemtKr  ZOOS  and,  n^ere  appropriate,  criteria  beyond  that 
refeired  to  in  the  FISCAM.  Future  updates  to  the  FISCAM,  Including 

FISCAM  webate  at  http:/A™w.gao,gov/spedBl.pubs/fiscam.html 

The  critical  elements  and  control  activities  are  designed  to  be  able 
to  be  applied  to  systems  with  vaiyit«  level  of  risk.  Consequently, 
critical  elements  and  control  aetivilles  are  not  dinferentlated  by  risk 
level.  As  discussed  in  Chapter  2,  the  auditor  assesses  IS  risk  based 
on  a  number  of  factors,  including  but  not  limited  to  consideiation  of 
the  seciirlty  cat^goriiailona  assigned  by  nian^ement.  In  aasesshig 
whether  the  enti^^s  control  techniques  are  suQicient  to  achieve  a 
particular  control  activity,  the  auditor  consideis  several  fectois. 


FlsiJAM,  nMch  is  consistent  With  NISr  and  othei  ciueiia,  IS 
oisanlzecl  to  tadUtate  etlectlve  and  effldem:  IS  contmls  audits. 
Hoecincally.  fbe  metfaodolDgf  m  tne  ETSCAM  mcoipoiatea: 

«  A  top-d(fwn,  nsk-based  evaluetum  that  consideTS  matenolily  aitd 
sgmficance  m  denenuimng  effective  and  efGcieni  audiL 
pioceduies  <  the  auditor  decennlnes  ii4tlch  IS  control  cechnlques 
ai«  relevant  to  the  audit  otnednes  and  irtucn  aie  necessaiy  to 
achieve  cne  control  activities:  generally,  all  control  activilaes  are 
relevant  unless  ttie  related  ciailTOi  catsgorv  ts  not  relevant,  me 
audU  sci^  IS  llnuCed,  or  Oie  auditor  detetmines  thu.  due  to 
smiiiiimiit  iMMiiirfu  WMKiipsaps.  it  jsnoiiiipcrssrivi'inipsiaii 


achieved.  IS  controls  are  inefTet 
sufficiently  reduce  uie  nsk  i. 
'   uniiiuiiiiwui  cuniroi  cjiu-Jtonis  HjiisiFsion 
ilsk, 

■  Eipenence  gained  m  GAOs  performance 
control  audits,  inciudmg  field  testing  me  c 


^  discDssed  above,  tills  mi 


the  audit  objectives.  The  auditor  may  be  able  to  determine  whether 
control  techmques  are  sufQnenL  lo  acnieve  aparttcular  cmitTOi 
activity  wlttioui  evaluatii^  and  testii^  all  oi  tne  control  technlijiKS, 
Also.  uq>eading  on  IS  nsK  anu  tne  audit  objectives,  the  nature  and 
eslent  ot  control  techniques  necessary  lo  achieve  a  paiticolar 
control  objective  will  vaiy. 

u  sufficient,  the  auditor  should  detennine  whether  the  control 
technkiues  are  irr^iiemented  iDiaced  in  operstioni  and  are  operating 
e&ecbveiv.  Also,  ine  auditor  ehoula  evahiate  the  nature  and  extent 
uiieiui^ipenomieuuyineenutv.  aucn miomuiuun can asiiui m 
identl^Tng  key  controfe  and  in  assesrai^  risl^  but  the  auditor  *ould 
not  rely  on  testing  perfoimed  by  tite  entity  in  lieu  of  qipiopriate 
auditor  testtng.  As  discussed  laterin  this  section,  if  the  control 
techniques  in:5)lemented  by  ttie  entity,  aa  designed,  are  not  sufficient 
10  address  (he  control  adivi^,  or  (he  control  (ediniques  are  not 
effectively  impleroented  as  deigned,  the  auditor  should  detemdne 
the  eSect  on  IS  controls  and  the  audit  objectives. 


The  endly  s  management  iB  responsible  for  implementing  an 
appropriate  svstem  of  eost-eUective  Is  controls,  incluiling  an 
effective  mamtonng  proArom  to  provide  management  with 
reasonable  assniance  that  1»  controls  are  piopern  designed  and 
BUecltrclv  operating.  The  auditors  tespotistbito  la  to  petfomi  testa 
of  the  If)  controls  and  provide  cxmchisions  on  the  results  of  sudi 
tests  Co  support  the  audit  obiedives. 

Future  updates  to  the  FISCAM  including  implementation  tools  and 
matenals,  wdlhe  posted  to  the  FlMJAM  website  at 
httpi/Zwww.gao.govj^ecial.puDS'fiscam.hlnil, 


1.4.1  Appendices 


The  appendices  to  the  FISUAM.  sununarized  below,  provide 
additional  mformation  to  assist  the  auditor  m  performmg  the  IS 


Chapter  2.  Performing  the  hiformation  System 
Controls  Audit 


2.6  Introduction 


to  obtain  the  evidentjal  matter  necessaiy  to  achieve  the 
objectivES  of  the  IS  controlB  audit  and  tbe  audit  report.  For 
finafunal  audita,  the  auditor  develops  an  audit  strategy  and  an 
auditplan.  Forper(oiTnaBceaudits,the auditordevelopsanaud 

relevant  to  the  ;iiirlir  r)li|i  .■(n-c', 


controls  audit  in  support  oF 

For  each  of  the  three  phases,  the  auditor  prepares  appropriate  audit 

In  addition  lo  the  GAGAS  field  work  and  reporting  standards 
(Cbapters  4  through  b),  which  are  generally  addressed  by  the 
FISCAM,  the  auditor  performing  a  GAGAS  audit  also  should  meet 
the  requirements  m  Ch^ileis  1, 2,  and  S  of  OoimwmentAuditfno 


2.1  Plan  the  Information  System  Controls  Audit 


In  planning  ine  IS  controls  audit,  the  a 
cancels  ot  materiality  (In  financial  au 
engagements  J  and  significBnce"  impe 


.  maienauivand 
r  14 '1 4 ' Ell M nil  i.iKi  rtuiniiiMi 

'S.  nil  IllTLVIIIU 


nauthonzed  access.  Maienalilyis 


inote  ftflly  dIsciEsed  in  the  FAM  in  aecliim  230  (petemdne  Plamiin^ 
Dedgn,  and  Test  Miitedallty),  and  both  niateiiaUQr  and  slgnlflciuice 
are  discussed  further  in  GAGAS. 


Plannmg  occurs  throughout  the  audit  as  an  iterative  process.  (Tor 
example,  cased  on  imdingsfmn  the  testiiig  phase,  the  auditor  ima 
ehaiiaeihe  riiaiinen  aunn  apatoach,  tncludhigtne  design  in  supi  im 


evidential  matter  iiecessaiy  lo  support  the  otueeoves  of  Uie  lb 
controBS  anon  ana  me  auoiL  reporc  une  namre  anu  exiem  w  aaaa 


plannmg  procedures  varies  tor  each  audit  depending  on  several 
CicMis,  Including  the  entity's  size  and  complexity,  tlie  auditor's 
experience  with  the  endty,  and  the  auditor's  knowledge  of  the 


une  the  needs  or  otlter 
lerfonned  and  cxmsult  mtit 
iiuiKinr.  neiriRioiis 


audii  nrocedures  based  on  that  ass^smeni.  This  mciudes 

detemnne  whether  tnev  have  been  unpiemented.  in  obtaimng  this 
understatuhng,  the  auditor  consldeis  bow  an  entlQr's  use  of 
infoiraation  technolt^  (FT)  and  manual  procedures  affect  cooliols 
relevant  to  the  audit,  Hke  auditor's  respon^miies  fbr  considering 


redelaUIn 


laideistanding  ol  internal  control  lhal  is  material  to  the  subject 
achieve  the  oldeclfves  of  the  attestation  engagement. 


ST"  -"""•t 


^tould  test  infonnation  systems  conliols  necessaiy  to  address  ttie 
audit  oblectlves.  For  exan^,  the  audit  may  hivolve  ttte 
effectiveness  of  mfomiBJion^steniH  cmhiItoIs  related  to  certain 
es'Stems,  l^dlitles,  or  otganlzations. 


2A.2  Uiwlerstand  tlie  Overall  Audit  01ije(M.ves  and  Related  Scope  of  Ihe  Informatioii 

System  Controls  Audit 

The  nature,  timing,  and  extent  of  IS  controls  audit  procedures  TOiy 
(Jij)endiiig  igion  the  audit  olaeclires.  For  eranple,  ttie  IS  ctaitrols 

•  be  pertbrmed  as  part  of  a  financial  or  pcrfoimance  audit,  or 
be  peMonned  as  a  separate  enBafiement^ 

•  may  comprehensivelv  adiJusHi  an  entire  riililv,  a  component,  or  a 

teolinnloiv  le.s..  wn'rli"."..  iiiifcaljiiesisleni,  etc.  I,  orlocatlOl^ 

•    '  'ii<  I.    II    I .  .1     I .'-  Ml  oiilv  a  subset  of  control 

■  ii  |r  I  .■  -  ^  .^i'li  I.I.  I  ■  iM  ~  I  iiniiieas  process  controls,  or 
vli'i     ,  1,111111)1, I'm-,  III  ilu'iii.  Mich  as  focusnffi  on  an  entilys 


If  achieeing  the  audit  objectives  does  not  require  an  overall 
condaslon  on  the  eBecthreness  of  the  enOgr's  B  controls  or  relates 
only  to  cert^  con^mnaits  (tfttie  entity  or  a  subset  of  controls,  die 
auditor^  assessment  would  not  necessarily  identi^  an  si^nficant  IS 
control  weaknesses  that  may  esist  For  example,  a  Hmited  review  of 
controls  over  a  type  of  i^ieratuig  ^Btem  may  not  identi^  ffliy 
sigmGcant  weaknesses,  although  there  may  be  lei;  significant 
weaknesses  In  oflier  areas  fliat  the  auditor  is  unaware  of  because 
the  scijie  of  the  audit  is  bmited.  Consequently,  die  auditor  should 
evaluate  the  potential  bimtations  of  tlie  auditor's  work  on  the 
auditors  report  and  the  needs  and  expectations  of  usee.  The 
auditor  may  determine  that  because  the  hmitalions  are  so 
sigmlicant,  the  auditor  will  (I)  commumcate  the  bmilations  to  the 
management  of  the  audited  enOtv,  those  chaiged  with  governance, 
and/or  those  requesting  the  audn^  and  (2)  cleariy  r^ort  such 
nmilatiDiia  on  me  concluaiDnE  m  me  aiHUt  report,  tar  example,  m 


Baaed  on  the  oveiall  encacement  abiecUves.  the  auditor  should 
develop  and  docunienl;  the  obiectives  ot  the  IS  contmis  audit. 
TypKil  IS  contiob  audit  oblecdves  Include  the  roDowlng: 


•  l  osiwrion.jnuivaiiuiiKiii  i>i  is( 

•  To  support  Single  Audits. 


Hie  audUoi  should  also  detemiine  and  document  {such  as  in  an 
audit  strategy  and  audit  plan)  the  tvproprlate  scope  ol  the  IS 

»  Iho  nt^',7iiiz:il  ioii^i]  orilllies  tobe  BddTES9ed(e,g,,  entjtywlde^ 

•  IliL.'  LitL'^kdEii  uf  ItLc  audit  (e^g-,  overall  cmicliision  on  IS  control 
effectLveiiess,  review  of  a  specific  appllcalion  or  technologj  area, 
such  as  wireless  or  UNIX,  etc.); 

«  the  types  <tf  IS  controls  to  be  tested; 

•  geneialand/orbuslnGsspnicessiwillcatlontevelctnttiolstobe 
tested,  or  selecled  components;  or 

•  ii111evelsoftheeiitity'slnfOmuUionsysteDns,OTselectedlevets 
(e.g,,  entitjwide,  sy^em  level,  or  butdness  process  application 
level,  or  selected  componenisof  them — for  deGnitions  of  each 
level,  see  the  section  below  enUBed  "2.2  Perform  hiformation 
Systetn  Controls  Audit  Tests."). 

■Micid  how  the 
idilor  should 


responsible  for  the  overall  audit. 


2.1.3  Understand  the  Entilyfe  Operations  and  Key  Business  Processes 

The  auditor  should  obtam  and  document  an  mideistandinR  of  the 

audit,  Ihe  auditor  obtauis  iiifomiation  tiral  will  pro\ide  an  overall 

otganlzation,  business,  sttategles,  tisks,  and  Intemal  contiol 

Id  the  planning 


Hie  auditor's  undetstanding  of  the  entily  includes: 


•  entily  management  and  organizalion, 

•  external  and  inlemal  factors  affecting  the  entity's  operation^  and 

To  plan  the  audit,  the  auditor  otitains  a  general  understanding  of  the 
entitvs  and  the  IT  function's  organiaatiunal  strutluts,  inchrduigkey 

The  audrlor  should  identic  significant  external  and  internal  lactois 
that  aftect  the  entity's  operations,  paitlcul^ly  n.  External  fiictois 
nughtmclude  (1)  IT  budget,  (2)  external  systems  user^  (3)  current 
political  cUmate,  and  (4)  relevant  l^slatlon.  Internal  t^ctois  tnl^ 
mclmJe(l)sizeottheenl%,  (2)  niimber  of  locations,  ^structure 
□fthe  entity  (centralized  ordecentTHlized),  (4)  conqilexity  of 
operations,  (ETJ  FT  tnanag^nent  structure,  (6)  impact  of  InlOanatlon 
Bjistems  on  bnaness  nieralii»s,  (7)  qualifications  and  competence 
□f  key  rr  personnel,  and  1^  turnover  of  key  IT  persomteL  Ihe 
auditor  should  document  any  s^nificant  lactois  that  could  afiect  the 
IS  controls  audits  meluding  the  auditor's  risk  assessment 

The  auditor  should  also  ohlatn  a  geiietaJ  uiideislanduiK  of  the 
entity's  business  processes,  particularlv  those  processes  most 
cl        I  I  t  rit  tlic     it  Fu         p     c  =  irethe 


financial  management  piocesses.  such  as  collections. 

other  support  processes,  such  as  human  lesoutces,  pioperty 
management,  or  security. 


unaeistHnumg  tlic  entitv  s  operabms  and  business  processes 
mciuaes  iinuetsi^riii^  how  »uslness  process  ^plications  are  used 

entity.  The  auuitoi  should  obtain  and  review  documemaUon,  sudias 
design  documems.  iiiueptlnts.  business  process  nroceduies,  user 
manuals,  etc..  and  mqiure  oi  knowledgeable  personnel  m  obtmn  a 
general  undeistandu^  of  each  significant  busmess  process 
application  that  Is  teievant  to  the  audit  obiectlves.  This  Includes  a 
detailed  understanding  of 

*  business  rules  le^g.  removing  an  tranBadJonsHiatfodedils  or 
<nily  selected  ones  based  on  established  criteria), 

*  transaction  flows  (detailed  stum  of  tne  entity's  mlemal  controls 
over  apartkular  catcgorv  of  events  that  identifies  all  kev 
procedures  and  controls  relating  to  Hie  processn^  of 


and  developing  relevant  ai 
aiiiiiior  iiiav  rorriiMiiiF  litis : 


•  a  detailed  oi^anizalion  chart,  partitularly  the  IT  and  Ihe  IS 

•  slgnincant  changes  In  (he  IT  envttomnent  or  ^gntncant 
^licaUiHis  implemented  nlthin  the  recent  past  (e.g.  2  years)  or 
plermed  within  the  near  future  (e^.,  2  yeais^  and 

•  fite  entity's  reliance  on  third  parties  to  provide  IT  serrtcea  (e.g,, 


The  auditor  generally  gathers  planning  informatiDn  through  different 
methoda  (observaJion,  interviews,  reading  policy  and  procedure 
manuals,  etc.)  and  fnim  a  variety  of  sources,  Including 

•  previous  audits  and  management  reviews  (see  section  2.1.9.0), 

Cmchiding  any  internal  control  officer), 
«  other  memhets  of  the  audit  organization,  concerning  relevant 

completed,  planned  or  In-piogrcss  assignments, 
«  personnel  in  the  Office  of  General  Counsel,  and 

•  peisonnelintheSpedalhivestigatorUnil. 

Abo,  the  audilor  generally  gathers  information  from  relevant  reports 
and  articles  issued  by  or  about  the  entity,  including 


;6,  and  other  publications. 


.4  Obtain  a  General  Understanding  of  the  Si.nii^  l.iirfi  or  the  Entil.v's  Notworks 

The  auditor  shoiud  obtain  and  docimieDl  a  general  understanding  of 
the  structure  of  the  ei>u[,v  s  networks  as  a  basis  for  plannliig  the  18 
cooIiqIs  audit  The  auditors  understanding  Includes  a  highJevel 
view  of  the  network  architectiire  that  the  eatity  uses  to  m^emeat 
lelevant  key  business  processes,  aucfa  m  undeistandli^  helps  the 
auditor  ro  assess  risk,  ldenl%  pgt^tlal  critical  control  paints  on  a 
prehmmaiy  basis,  understand  technologies  tliat  inar  be  sutnect  to 
audit,  and  Idendtr  key  iocatioRS,  Hie  auditor  geneeaUy  should 
request  documentatlan  of  such  inf  omatlan  from  flie  entity, 
including  botn  hi^-ievei  and  detailed  network  schemaaca.  The 
auditor  shoma  ooialn  the  loUowinK  mioimatlon  aboui  the  networic 


le  access— virtual  private  network  and  dial-m:  and 


.1.5  Identic  Key  Areas  of  Audit  Interest 

Hie  auditor  should  identic  key  areas  of  audit  inleresl,  >riiich  are 
those  that  are  critical  to  achieving  the  audit  objectives  (&g.,  geneial 
BiqqxiTt  and  business  process  q^ilicaljon^steniB  and  GleB  (or 
cranponenis  thereof)],  Fbr  a  finandalaudit,  ttus  woukl  include  key 
flnandal  ^ipllcatlons  and  data  and  related  feeder  ^'Steins,'*  For  a 


peifiumance  audit,  this  would  mclude  iev  svstemE  ttiai  are  iiKeiv  to 
be  stenlflcaixt  to  the  audit  oweetli^.  For  each  kev  area  or  audit 


2.1.6  Assess  bifOimatioii  ^istein  Risk  on  a  Preliminaiy  Basis 


The  auditor  should  assess  »i 
nature  and  estent  of  IS  risk  i 


significance  of  a  lOEE  01  confiuentiautv.  integntY.  or  availabdi^  to 
the  audit  obiectlves.  The  auditor  should  document  fectois  that 
significantly  increase  or  decrease  the  leveiof  IS  n^andlbeir 
potential  Impact  on  the  effectiveness  of  information  Q'stem 

CODtlOlS, 

Assesshig  IS  ilsk  relating  to  the  audit  Is  different  ftom 
Dianagemenf  s  rcsk  assessment.  In  assessing  IS  risk,  the  auditor  is 


not  tegiilred  or  eicpected  to  tepeifomi  management's  nsk 
assessment  Bathei,  the  auditor  assesses  lb  tlsk  on  a  preliminaiy 
basts  Dsing  data  Hiat  would  be  collected  m  the  planning  of  audit 
(this  Includes  uslne  Hie  entity's  risk  assessmenls  find  perfonning 
othei  audit  procedures  as  tnitlined  below).  Hie  auditor's  ilsk 
assessment  should  FeOect  the  inqtact  of  the  effectivenEss  of  IS 
controls  on  the  audit  otjedives, 


To  develop  a  framework  for  analyzing  IS  nsb,  Ihe  auditor  should 
consider  IS  nsk  in  the  context  of  the  foUo^Mif^  three  securiQr 


protecting  personal  pnvELt  ^  ajiil  pji/piioiaj ' 
of  confldentialltylstheuiiaiiiliori/eil  dwlo' 
■  Integrity — guarding  against  improper  mf  onoation  modificalira 
destruction,  vriiich  Includes  ^isuii'W  inlbiination 
nomepuCtlatlon''  and  aiithentld^°.  A  loss  of  inlegiity  Is  the 


.  Aviiilability — ensuring  tiniely  ;ind  reliable  access  lo  and  use  of 
information,  A  loss  of  availability  is  the  disruption  of  access  to  or 
use  of  information  or  an  mfaimation  system. 

In  some  instances,  one  or  more  of  the  security  objectives  may  have 
more  significance  to  the  audit  objectives  than  die  ntheis. 

The  auditor  should  identic  factors  or  conditions  that  significantly 
tnctease  or  decrease  IS  risk.  These  tactjjis  are  general  In  nstuie;  the 
auditor  usesjudgment  in  determining  (1)  the  extertt  of  procedures 
Id  identic  the  rislis  and  (2)  the  impact  of  such  risks  on  the  entity's 
operations  and  the  audit  objectives.  Because  this  tlsk  assessment 
involves  the  exercise  of  significant  audit  judgment,  the  auditor 
^□ulduse  experienced  audit  team  personnel  to  perform  the  nsk 
assessment  Factois  considered  would  include  those  related  tn 
Inherent  rid!°  as  well  as  those  related  ta  the  control  environment, 
ri^  assessment,  communication,  and  monitoring  conqxments  of 
inlemal  control'.  The  auditor  idenOfles  such  factors  based  on 
iDfoiroatiou  obtained  in  the  planning  phase,  primarily  &om 
undeistanding  the  entity's  opeiations  and  key  business  processes, 
Includhig  significant  IT  processing  perfotined  outside  the  entt^. 

For  each  risk  identified,  the  auditor  should  document  the  nature  and 
eKtent  of  the  risk;  the  conditions  that  gave  rise  to  that  risk;  and  tiie 
^ecific  information  or  opeiations  aBected  (if  not  pervasive).  The 
auditor  should  also  document  compensating  controls  or  other 
CQiislderaOora  that  raay  mitigate  the  effects  of  identified  risks. 


As  noted  above,  the  auditor  should  fissess  and  doctnnent,  on  a 
preUmlnaiy  h3s\s,  the  nature  and  evtera  of  IS  tlsks  foitlve 

mformaiion  Emd  mrormation  svsiems  reiaiedto13iekeTareflBof 
aiiuir  iiirci-i"-r.  cDii-nicriiia  cDiiiirn'iiniiiiiv,  miegiily.  and  availability. 

iiii  .M<:  iiiii'Miii'  ii' <iM(irmeassessedrlskandUs 

Dr'ii'iri.  I  I  I  . ir.ii  i  '..'s.  For esBn^ie. in B Gnancial 

iiiiiiii.  hi'.  -   .iiii.i.  I  ■' ii(™umty  ofamalenai 

iiu---:''!!'  II.  '.^    ii-iili  .)i  ;i  l.-^  ..|  (■..iilirteniiallly,  integrity, or 


otganiiational  (veiatliBis,  organtzabonal  aesets.  or  individnals.  A 
serious  adieise  effect  means  dial,  for  example,  me  loss  of 
conGdentiality.  innegnly.  oravailBbinivimghL  ii}  cause  a 
significant  degradaHon  m  mission  csfabuiw  lo  an  eiaeni  and 
duration  tliat  uie  oiganization  is  able  lo  uertbrm  its  pnmiirv 
functions,  liLii,  uw,  tnwriiwMitw  cm  iiii'  puii<:iions  ihsiimiucjiTiirv 
reduced;  (iiiresuiLin  signiticani:  damage  10  organizational  assets: 
(m)  result  in  s^nincant  iiRiiiciai  inss^  or  \  iv  1  rpsuit  m  signuicani 
barmloiiu 

life-threatening  uuuiics- 

•  ffiflft.Thelnssnfirniiriiiciiii'  I  ■ .  I   ■  iir.i.i.r..  Ivi-imid 

be  expected  to  have  a  scv<M  r  in  r.H.isi  1  (iniin-  ^miTrsc  cifcct 
onorganizaiKiiiiuoiiiTiiiniir  n.    ..    !■  .n 


aide  to  perfbrm  one  n 

m^or  damage  to  organizational  assets:  imi  resuii  inm^yor 
Gnanciallos^  or  ^1  result  m  severe  or  catastropbic  harm  lo 
individuals  Involving  loss  of  life  oc  sedotis  Ife-Siieatenlng 


Hie  auditor's  assesanent  of  IS  nf£  may  diange  as  audit  evidence  is 
obtidned  To  detemilne  nitether  audit  loxicedures  continue  to  be 
^ipropilate,  the  auditor  should  penodically  reassess  Ote  IS  risk 
during  the  audit.  For  example,  tne  auditor  nay  reassess  lite  IS  nak 
level  allheenii  ni  the  planning  and  testing  phases,  as  welias  when 
evidence  Is  oblaiiied  that  signiGcanUyaffects  the  auditor's  nsh 
asst'^tmcnt  If  IS  risli  cliangcs  during  Uie  audit.  Ihe  auditor  shoold 
make  aiiy  necessaiy  rliaiiges  to  the  nature,  timir^  and  extent  of 
plamied  audit  procedures. 

ist  of  the  fbHowing 

bussed  fuittier  below: 
Ihberent  risk  factors 


*  Motors  related  to  Ute  cffliljol  envinHiroenl^  rislt  assessmenl^ 
conununlcatloii,  and  monltoiing  ctraiponents  of  internal  control 


InhmaitHiiikFartois 


Infmniabon  systems  tan  fnlroduce  addUJonal  risk  Victors  not 
present  in  a  manual  system.  To  pmperly  assess  IS  risk,  the  audtlor 
diould  (1)  evaluate  each  of  the  tollonliig  feictois  and  (2)  assess  the 
orerafl  inqact  irf  information  syst™is     IS  nsk.  The  inqiact  of 
these  fictois  lypicaBy  will  be  pervasrue  in  nature. 


1  h 

>iirccs  and  possible 
(1  networks  may 
lUHiple  processing 


Penpheral  access  devices  or  system  inteifeces  can  mcrease  IS 
lisk.  For  example.  Internet  or  nireless  access  to  a  system 
increases  the  system  s  accessibllily  to  additional  peisotis  and 
tlt«ef  ore  increases  the  risk  of  unauthorized  access  to  con^uter 
resources. 

Hi^dy  customized  application  softnare  m^  have  higher  IS  rek 
t]ianvendor.suppliedstiRwaTe  that  has  been  thorooghly  tested 
and  Is  in  general  commercial  use.  On  the  otter  hand,  vendor- 
llfn       n  nn  sfnnhle  been 


svsiema-),  the  audit  tmils  and  supporting  information  produced 


•  Uniform  proces^ng  01 


functioiis.  Evidence  of  mese  iffocessmg  steps  c^ul  miy  related 
ctaitiols  J  may  01  nia;  not  be  visible. 
I  IncreHBed  poienbal  lor  uodeiected  nusslBtaiienlE:  InfonnBtuiQ 
^Btems  ose  and  store  Infomialion  m  electronic  form  and  reqiUre 


inforniabcn  and  alter  data  wiOiodt  leavite  visible  evidence. 
Because  inibmiation  B  m  eiedK:imc  loim,  changes  lo  conq)iiter 

prosrams  and  data  are  not  readily  detectible.  Also,  users  may  be 


developed  to  process  such  transactions  may  not  be  subject  to  the 
same  procedures  as  progranss  developed  to  process  routine 
transactions.  For  ^campie,  tne  611111?  may  use  a  umiiv  program  to 
extract  ^)eciSed  mformalion  m  siqiport  of  a  nonroulme 
management  decision. 

m  addition,  Ote  auditor  snould  evaluate  ine  addiliiaial  audit  risk 
bctors  dBCuesed  m  tne  'Additional  is  Risk  Factors"  at  ine  end  of 


Pbk  Far.tnis  Hplated  to  th>'  nontml  Rnvironmert.,  Risk  Asseasmen 
Communicatioa  and  Monitoring  Components  of  Internal  Control 

Also,  the  auditor  should  evaluate  the  IT  system  bdora  discussed 
below,  to  the  extent  lelevant  lo  the  aiidil  objeclives,  in  makine  an 
overall  assesanent  of  the  control  envirfflimenl^  risk  assesnenl^ 
ctmniiniicaCtm,  arid  moniloiirig  ctar^ioDeiite  of  internal  controL 


Additkinal  inlbimatiiin  conceming  Oieae  intenuU  control  romponenls 
cas\\isf<nmilatGA(ysSbindimisforIn/ernalOmtwliri  Oie Federal 
Goeeminenl^  (^reen  Book'^  and  Internal  Conttvl  Management  and 
EvaluiUion  Tool'',  and  at  FAM  260, 29EA,  and  29Ba 

B-  Hanagenient  a  Bttitndes  and  awareneSB  nitli  respect  to  IT 
BYSteras:  ManaHHnenta  mteieat  in  and  awareness  oS  IT  ayslem 
fnnctions  Cinduding  tJiDse  performed  for  the  entity  by  other 
organizationsjisunportant  in  establishing  an  entilywide 
mnsciousnesB  of  CEjnlrol  issues.  Man^ement       demonstrate  its 

■    considering  the  risks  and  benerits  of  computer  apphcations; 

•  comnmnicabng  policies  regarding  IT  sj^tem  hmctions  and 
respDnaibiliHes; 

•  oveiaeemg  pDhcies  and  procedures  for  developing, 
modi^ing,  mamtaining,  and  using  computers,  and  for 
conttallmg  access  to  pmgrams  and  files 

•  considering  the  risk  of  material  misslalement,  includmg  frjiiil 
risk,  related  to  IT  sj^ras; 

•  quieklv  and  effectively  planning  for,  and  responding  to, 


.    usmg  reliable  computer-generated  infomiatlon  for  key 
operating  decisions. 

b.  Orguilzatian  and  stmctHie  of  die  IT  system  rnnctloD:  The 

oiganiraOonal  slructute  affects  the  control  envlttinmenl. 
Cenlrahzed  struchirra  often  have  a  smgle  computer  processing 

software.  enabUng  tighter  management  control  over  IT  systems.  !n 
decentralized  stnictmes.  each  computer  center  generally  has  its 
own  computer  piucESSmg  organization,  apphcation  programs,  and 
system  software,  which  mav  result  m  difierences  m  policies  and 
procedures  and  various  levels  of  compliance  at  each  location. 


y  according  to 
can  affect  the  control 

,1  lnfomiationOtacer(CIO)fila 

l;i  I  i  ly  segregated  witWn  the  IT 


additional  risk  factoiB,  The  entity  should  be  aware  of  these  liBlo  and 
should  develop  appropriate  poHcic?  and  proccdnres  to  respond  to 
any  IT  system  ifsues  that  might  occur.  The  auditor  may  evaluate 

•  the  methods  for  montlorii^  incompatible  huicUons  and  tor 
enfbrdng  SEgregiUion  of  duties  and 

*  ntan^ement's  mechanian  for  identi^ring  and  reqwDding  to 


Examples  tiS  potential  IT-related  control  enviromnail,  risk 
assessment^  eommunicalloD,  aitd  moDitoring  weaknesses  include; 
•    Marn^ement  and  pemamel  in  tey  areas  (such  as 

accounting,  IT  totems,  10,  and  Internal  auditing)  have  a 

Ugh  turnover. 


fiHictions  is  that  these  are  necessary  "bean  counUog' 
functions  raOier  than  a  vehicle  for  eiceidsfaig  contnd  over 
the  entity's  activities  or  making  better  dedsionB. 

•  The  number  of  people,  paiticularl;  in  FT  systems  and 
accounting,  wlttx  requisite  skill  levels  relative  to  the  ^e  and 
con:t)lexity  of  the  operatirais  is  inadeiiuffle. 

•  Maragementhas  not  adequately  identiGed  risks  arising 
ftom  internal  sources,  such  as  human  resoarces  (alah^  to 


i«tain  key  people)  ot  IT  (adequacy  of  backup  systems  in  the 
event  of  systems  failure]. 

Accounting  ^stems  and/or  infbmiBJion  systems,  including 
rr  systems,  are  not  modifled  inre^Kjnse  to  chaining 


i.1.7  Identic  Critical  Control  Points 

Hie  auditor  shoulil  identify  and  document  eriiical  control  points  in 
the  de^gn  oi  tne  eni.itv  s  uiiomiai.ion  svsipiiis  iia&en  on  cne  auoirar's 
iiiiueiNiiuiMiiti!  (11  snc'ii  svsinns.  ifw  ;iii':is  cji  jluiul  iimi'ii'si.  juim  in 
ilsk.  Critical  coniiol  uoinis  are  Ihose  svstem  control  oolnts  that.  If 
ctmpromised,  could  allow  an  mdmaual  10  gam  unaumorized  access 
to  or  perform  unauthorized  or  inappropriate  activities  on  entity 
Egrstems  or  data,  n4ilch  could  lead  dliectly  or  Indirectly  to 
onaulhorlzed  access  OF  modificiUions  to  me  liev  areas  of  autlil 
naer^st.  Control  poims  typically  include  external  access  pomts  to 
the  eixiitv  s  networks.  uiKrconneciions  wim  oitier  external  and 

infomation  through  the  entitv  s  networks  or  to  the  kev  areas  of 


n.f^LViE'v;  i.nr  L'luii'iii  I'cinixii  ihiiiii.s.  \mi'-M  on  iiiiuiiiuiiicjii  oiiuiiiiihi 
dunng  audit  planmng.  me  auditor  ^omd  identi^  those  cntiCHl 
ctHitiDl  points  In  the  entity's  IT  systems  that  are  dgnitlcanC  to  the 
effectiveness  of  security  over  die  kev  areas  of  audit  irneiest. 

An  analy*  of  critical  control  points  Includes  consideration  of 
aUemate  worJ:  sites.  Smce  moltapie  FISGAM  control  categories  are 
relevant  to  alternate  nork  sues,  a  is  not  addressed  as  a  specific 
control  In  this  docoment  Forfuither  information  on  this  sulrfect 
refer  to  NKT  guidance  contained  in  HP  SOO^  and  tif  E0IM6. 

m  identt^mg  critical  control  poinls  and  m  plannn^  and  perfOrmii^ 
the  assessment  <f  IS  contiols,  auditors  appS}  ^  concept  of  control 


not  require  auUientitation  and  are  also  used  as  remote  boot 

the  eenOaJlzed  aiithetiTication  senpr  ihat  authenticates  users  to 
the  router  and  other  network  devices: 

netwoilf  switches  that  eould  E^Jiar  p  spiLSllive  data  with  louters 
such  as  passwords  and  shun-d  ]«'ys(ulso,  uetwotk  switches 
provide  atrusted  path  tt>  the  routeis); 
admintstiattve  woriotations  used  to  nian^e  netwo*  devices, 
such  as  routei^  and 

Hie  log  server,  irfilch  maintains  logs  containing  relevant 
inlonnatlon  about  significant  netvoric  events,  such  as  inut«r 


In  addition,  BB  part  of  Brevier  :l  i  In  -  -irin  I.     I   - . .  '  i  i[,e 

router, theawaitorEenerally-li  iiili;  u  -  K    1 1 


the netwoik  managemeni  sci-vcjs  N.vd  id  iiiiiii:ig(-™iiiigiii;iiiiiii 


Further,  ttie  aurtilorgenerallj  should  test  other  controls  thai  rwij 
affect  die  security  of  the  router,  based  on  the  auditor's  judgment 
Note  that,  in  addition  to  controls  over  access  to  die  rauter  itself,  IS 
controls  include  controls  Over  the  routing  of  trafnc  throilghoill  the 
network  (see  AC-1  in  Chapter  3). 

As  tire  auditor  performs  the  IS  controls  audit,  liased  on  the  auditor's 
assessment  of  risk  arrd  the  results  of  audit  tests,  the  auditor  may 
deteimtne  that  It  Is  necessary  to  modlli'  the  scope  of  the  audits 
Includliig  revisions  to  flte  critical  control  points.  For  example,  if 


Huthenticate  and  auUiorize  useis  of  legacy  sysleins  that  nin  un 
tUrfeient  seiveis  orsjistetns).  The  auditor  shoulil  delemiine  ihe 
potential  impact  of  any  identifiEd  design  wealoieBees  on  the 
complelenesa,  accuracy,  validilj,  and  conBdentiality  of  related 
BT^IicaUon  dala.  (See  CSiaptet  4  tor  a  rtesctipaon  of  completeness, 
Bccumcy,  validity,  and  confidentiality.) 

Based  on  fiiis  undeistanding,  the  auditor  should  make  a  prelinunary 
assessment  of  whether  IS  controls  are  akely  to  he  effective  to  assist 
In  delemriniiig  (Jie  nature,  Uming,  anil  extent  of  testing,  This 

throughout  the  entity,  including  program  manageis.  (^tem 
adniinistiatois,  information  issouiee  managers,  and  systems 

on  iBviewing  examples  of  evidence  of  control  performance;  on  prior 
audits  or  the  work  of  others;  and  on  readily  written  policies  and 
procedures.  This  preliminary  assessment  for  financial  audits  is 
ifiBcutBBd  further  at  FAM  27D  (Determine  likelihood  of  Effective 
InTomiation  System  Controls).  Based  on  the  pieUminaiy 
assessment^  the  auditor  should  make  any  adjustments,  as  necessary, 
to  the  IS  risk  level,  critical  control  points,  and  planned  scope  of  the 
audit  work. 

Control  activities  for  crtflcal  elements  in  each  general  control  and 
business  process  controi  category  are  described  in  Chapters  3  and  4, 
respective^,  and  summarized  in  .^^endix  U.  The  auditor  use 
the  aummaiy  tallies  tn  Appendix  II,  which  are  also  available  in 
electronic  form  from  the  FISCAM  website  at 
http://www.gao.gov^ecial.pubs/fiscarahtrnl,  to  document 
preliminary  findings  and  to  assist  in  makii^  the  preUniinaty 
assessment  of  controls.  As  the  audit  progresses  throu^  testing  of 
inlemal  controls,  the  auditor  nuor  continue  to  iise  the  electronic 
version  of  the  tables  to  document  controls  evaluated  and  tested,  teat 
procedures  performed,  conclusions,  and  supportit^  documentation 

The  auditor  should  include  the  foUowing  infomiation  in  the 
documentation  of  their  prelinunaiy  understanding  of  the  design  of 
IS  controls,  to  the  eictent  relevant  to  the  audit  objectives: 


An  identification  c«  reievam  entiC:nnde,  syst^  and  iMsm^ 
piocGSS  application  level  controls  designed  lo  achieve  ttte  control 


id  confif 


recovery  tESIs,  and  ^ipucatjim-specinc  tesis  >  performed  during 
the  lasi  year  and  flke  audUoi's  evaltiation  or  me  ocner  auditors 
Dti)ectlvny.  competence  and  conciusuxis  (see  section  :2,i.6.C) 
iviriii.'hvcrpu'rhi  s  iiifih';  i>i  iii'iiirit  iinn  iniii'^;i inn's,  or  iiiiiinHiiiivuieiii. 

ki.  wn 


I'onirTKfnirci  SL:<:Mriiv  i  run  is 

Documented  risk  assessmenis  lorrpievam  svMcmM'-.!!.  t^pnerni 
support  svslems  and  maior  appucaiioii^  r 
SjBtem  certification  and  accreditation  docmiieniaiioii  or 
equivalent  tor  leievani  systems 

Documented  buBmess  conlinm^  oi  operatiiHia  plans  and  disaster 
recovery  plans 

A  descrmtum  oi  me  entity's  ose  oi  third-par^  IT  services 


Hie  auddor  should  obtain  infOmifibon  from  relevant  lepoMs  and 
other  documents  conceinlng  IS  that  are  Issued    or  about  the 
entiiv.  including 

.  the  entity's  prior  FISMA  or  equivalent  rop<  n    i  >i ,  Is- 

equivalent repons on perfomance  intliuliii^  H'|"iii^  liJi  d  If 
compiv  with  the  Federal  Financial  ManageiiiGiil  hiipioveiiienl 
Act  of  1896"  (FFMIA)  and  Federal  Managers  Financial  Integri^ 
ActoriflSa^tPMPlA:^ 

•  olher  reports  by  management  or  tfae  audits  about 

•  other  reports  that  contain  information  concerning  IS  that  are 
relevant  to  the  audit  objective^ 

•  GAO  report^ 

•  IG  and  interna]  audit  reports  (inclndii^  those  for  performance 
audits  and  other  reviews);  and 


.9  Perform  Otiier  Audit  Planning  PropodiLrcs 

The  auditor  should  address  the  following  areas  dudng  the  planning 
phase,  even  though  lelated  audit  procedures  may  be  applied  during 
the  other  phases.  More  specifically,  the  auditor  should  address  any 
other  issues,  not  identiGed  in  the  previous  stqis,  that  could  aSect 
the  objectives,  scope,  omielhodology  of  the  IS  controls  audit, 


lucatiun  witli  entitv  management  and  those  ctiacged  with 

organiiaUons; 

\e  work  of  olher^  and 

liui  Cand  an  aDdn  strategy  for  financial  slatonent  audllE). 


FISMA,  FMFIA,  FFMIA,  Appendiiiffl  of  0MB  Cltculat  A-130",  0MB 
Clrculais  A-123''  and  Arl2T".  and  nSMA  Implemenling  guidance. 
Federal  laHB  and  regnlaJKmslhatmavaffect  the  enll^  Include,  but 
are  not  limited  to: 

.  Hkiiiii  irisuiiincf  Poriabilitvand  AccourtablB^Actof  199H 


.  Chief  Prlvacv  Officei 


As  pait  oi  an  la  controls  audit,  the  auditors  findings  will  ^icaly  be 
reooited  m  t«nns  M  whettierlS  controls  are  eftecttve.  While  laws 

and  resulations  such  ;is  FISMA.  FMFIA,  FFMIA,  and  0MB  and  NIST 


■netimes  maune  specmc  o 


2.19B  Con^deiatuin  of  Sie  Kisk  of  Fraud 

In  audits  performed  under  GAGAS,  the  auditor  should  gather  and 
assess  tte  tisks  of  fiaud"  occuning  that   significant  within  the 
context  of  the  audit  olijectivea  (for  finandal  audits,  a  material 
nuBatatemeat)rat]iat  could  affect  the  finding  or  conclusiona.  When 
audltois  IdenUft'  foctois  or  ilsks  related  to  baud  that  has  occmxed 
or  is  likely  to  hare  occurred  that  tbey  believe  are  a^nificant  within 
the  context  of  the  audit  olgectives,  Ihey^iould  deragn  procedures  to 
provide  reasonable  assmance  of  detecting  such  Itaud.  la  finandal 
audits,  GAGAS  IniUcates  that  auditors  should  assess  the  risk  ol 
ruBteriBl  mtsslntanenls  of  financial  slntonent  amounts  or  other 
flnandal  data  significant  to  the  audit  ottfectlves  due  to  fi^d  and  to 
consider  that  assessment  in  deslgnlr^  the  audit  procedures  to  be 
performed.** 


Hie  auddor  s  tespon^ilitMS  with  re^«ct  to  the      of  fraud  tn 
Ilnanctal  statement  audits  are  discussed  tVntner  In     GAGAS  and 
in  the  AICPA's  Anditing  Standards  Board  Statement  on  Andiling 


Thea  th  irt 

me  auan  to  iilsi'ilss  ih'U'ilil.lj  iriiini  n^k^.  iraud  factors  sucn  as 

iii4ijvii]M:M^i  II II 'I 'I  II  I'  I        [irr^isiiii's  iiH-cj[tMiiiL  inujM.  trie  OLUHiiLuihiv 

lor  iraiiti  m  (Hiiir.  MiLii  raiionalizaOons  or  attitudes  that  could  auoHT 
uiai'  I'jiiiii^  lo  ciinuiiii  iii^iia.  For  example- the  following  ^ciora 

rti;iii'ii  10  i:^  iiiav  iiuiir  aic  anskof  &aud: 

•  tauiire  lo  provide  an  aaequatesecun^mBnagemenLprogi^. 
ini:iuduig  madequai«  momtormg  oi  i:<ailfOi  effet^tivenes^ 

•  weaknesses  in  access  and  other  IS  controls  that  could  allow 
ijvemdeB  of  unem9l  controls  or  access  LO  B^atems  susf:qi1ibie  lo 
fraud  (e^.  pB^mem;  systems): 

•  bch  of  adequate  segregabon  of  duties:'  and 

•  pervasive  or  longrstanding  IS  control  weaknesses. 


Hie  auditor  snoiud  gather  and  assess  mfoim^lon  necessary  to 
ldent%  ftaua  rtsirs  that  cmild  be  relevant  to  the  audit  oblectives  or 
affect  me  rEsuiis  oi  iiieirauinii.  For  example.  Hie  auditor  obtain 
inloimatlon  Miruniiii  riisriissirni  mill  <>i  iitials  Of  the  audited  ^U^OT 
tluou^  other  niri  II- 1  ■  iiii'-ii  ■.  I'  ■.nscectSbllift'of  tile  pro-am 

(□  fraud,  me  si.iiii-   n.  i- irte  entuvhasestaiili^edto 

detect  ana  iiri'M  Til  n.i  j    ih  ■  n-.i.  :ii:ii  "fficlals  of  the  audited 


roceuures  to  provide 
1.  The  auditor  Should 

KII'IIIIIICJLI.Kiri  FLIIM 


A  speciGc  area  of  concern  tor  fraud  is  override  of  controls, 
particulaiiy  in  EBP  qifflications.  Because  EBP  applicatiais  are  bi 
tlieir  nature  highly  integrated,  tlie  potendai  risli  of  mBraganan 
override  of  cmtiols  is  iieighteiied.  The  audit  generally  siiouU 
include  pioceduies  to  identify  svstem-liased  ovemdes.  These 


review  01  audit  trails,  and  review  oi  key  management  reports. 
Access  controls,  segregatnai  of  duties,  and  audii  trails  are  discussed 
inCh^tera, 


jd  also  evaluate  situations  or  tiansactions  that 

inmirou^  audirproceduFES.  aUegationB  received 
Mini",  iirotnermeansiiiidicatiiigtliatiiaudmay 

I   !i iir.snouid evaluate whetjietuie possible 

 .'iiuTi  nil'  iLiiiriL  niHuiiN.  I J  iiicMrjLiJii  iiiiiuii 

i  I  il-  .1      results,  auditors  should  modift  the 


audited  to  Idenciiy  Indical 


■sijii.ioii  riiDpnini  us 

Iftider  liAGAS.  anditdiE  should  evaluate  whether  the  auoned  enlitv 
has  tafien  appropnaie  corrective  achon  to  address  findings  and 
lecomntendatlons  fcoroprevlotis  et^agentents  that  are  dgrdficam 
wilhm  uie  context  or  ine  audit  obiecbves  i  torfnancial  audits,  tliose 
that  could  have  a  material  effect  on  the  finanOBl  statemenlE  >.  When 
planning  ine  audil^  auditors  snould  bbk  entity  management  lo 
ldent%  previous  audits,  attestation  engi^etnents.  peiftmnance 
audits,  or  other  studies  that  directly  relate  to  the  obiectnes  of  the 
audiL  incindmg  vriieuier  related  recommendations  have  been 
tn^ilemented.  For  IS  control  audits,  ttiis  would  incioae  weaknesses 
Identified  bv  management  fliroMgh  its  monitoring  controls  (e.g.  Mr 
ledeial  enbties.  Flans  01  Action  and  Milestones  I  that  are  relevant  to 


.  Tlie  auditor  should  then  schedule  Ihe  reBouicea  for  the 

idless  of  [tie  size  of  tine  erttitv.  the  auditciF  miiai  still  perform 
ecessaiy  planning  to  ensure  that  auiiit  requirements  are  fOU] 
satlsBeii  lUs  Iruluiles  small/lDdepeiident  i^endes  wMdi  genera 


I.  less  riGky  IS 


retjulies  Inherently  fewer  IS  controls  audit  itsources.  Hie 
Conmiittee  of  S4)on90iir«  l^anizaOjns  (COiW)- pobBca^ 
'btlenial  Contrcds  mer  ElnBiuial  Bqxiiluig  -  Giudanix  fur  Smaller 
Public  Companies'  inchniles  guidance  that  could  be  used  by  smaller 
agencies  to  as^  in  plannir^  their  audils. 

Hie  auditor  may  deiennine  that  it  is  necessary  to  ctaitiact  for  auijit 
services  for  all  or  a  pi>rtHsi  of  the  IS  cdntrole  aodiL  Fdr  example,  uie 
audilorm^  delemune  that  it  is  necessary  to  conttact  only  for 
certain  tetimical  skills  needed  to  perfoim  the  auijit  tkmtiacOr^for 


audit  services  offeis  two  signlficaiit  benefils  to  an  tutit/a  audit 
organization — it  allows  audit  coverj^  beyond  that  passible  with  the 
existing  audit  staff  level,  and  it  allows  the  audit  activity  to  address 
technicjd  and  oilier  issues  in  which  the  m-house  staff  is  not  skilled. 
Engagements  thai  enqiloy  contraclois  in  this  way  may  help  Imin  in- 
house  staff  for  flihire  audits.  However,  when  contiactins  for  audit 
services,  some  in-house  audit  peisonnel  gentrrilly  shuuld  lie  attively 
involved.  For  example,  the  audit  oiganization  should  be 
instrumenlBl  in  detemuning  the  sc(^  of  the  contracted  services, 
and  in  developing  the  task  order  or  request  for  proposal  for  the 
work.  The  FISCAM  may  he  reqiured  to  be  used  aa  abasia  fbr  Ihe 
work  to  be  perfoimed. 


lUditot  generally  shou 


whettier  the  work  addressed  relevant  issues  and  Itie  audit 
procedures  were  adequate.  For  financial  audits,  the  contiact 
monitor  or  audit  team  may  rq>erform  some  tesls  in  acc«dance  wi 
FAM  660.  '^sing  Ihe  Reporls  and  Work  of  Otheis."  Also,  Ihe 
contract  monitor  should  review  the  audit  r^rt  and  supporting 
Bucni  oocumemaaon  to  uetemdne  whether  Ihe  audit  report  is 
ade<iuately  supported. 


2.1.e,E  Multiyear  Testing  Plans 

In  dccumstances  vAete  the  auditor  r^iilarlyperfomis  IS  controls 
BudilB  of  the  entity  Cas  is  done,  fbr  example,  by  an  IG  or  fbr  annual 


financial  audils),  the  auditor       delemdne  UiHt  a  miiJtJyear  plan  I 
peifomilng  IS  controls  audits  Is  approptialp.  Siicli  a  plan  will  cove 
relevant  key  entitj-  appllcalions,  syslems.  and  processiiiE  cf  iiteis. 
Iliesestiat 
m  hide 

durmgine  nfi'ii  <:i  i   i  i  >'  i  i      r,  . .  i     i:  a  ..i.  n 

auditor  tjpk-ill\  i      n.n.-  Il  .- .■  ,  .1.,   ■  !!■  ;.|,.|        -.l-  h.^in  r 

I']''  I. Ml  '    '  '11  I'll       .'  I"  


L  significant  general 


luiiiviMii' ixinoii.  WINCH  iiiioiiiu  not  uc  inoi  e  than  3  yeais. 
^  a  muitiyeariesting  planior  an  entitywith  five 
ia3mess  process  applications  imght  inciuoe 

Di  tiro  01  ttuee  applications  annually,  covering 
all  applications  in  a  2  or  ^vear  period,  Bbr  systems  with  lughia 
nek.  ine  aiidiuir  generally  should  perform  annual  testing. 


uch  mulbyear  testmg  plans  ar 


or  flist-titne  audits,  toe 
ne  aignificani  bu^ess  process  ^iiJications  or 
have  not  Been  tested  withm  a  sufiicieniJ!  recent 
i(Liiii;i  veiiRi,  01  loi-aiiriiraoientitiesfliat  donot 


fiiH  testing;  exaiiiple&  ol". 
niiiiiuxs  Miiurii4LaiiMin]!  i 
coDtroi  charges,  and  cor 
iwciiiiHV  01  inc  iiuiiuniuii 


MII'll  Ili'llt'ini'S  III4NMM11  MEHIllllllk!  Uli; 

:)i  MIC  roniiiij  ciivimiiiiieiii,,  iimiiiriiiiiaiioiii, 

iducUi^  waUt-throughs.  For  emmpie, 

:e  or  system  level  critical  control  pomis.  me 


Ab  part  of  Uiis  conmimiication,  it  raaj'  be  useful  to  provide  scnpral 


perfomung  deiuatof-aecvlce  testing,  (bi  coonlDiatuie  teatmg  mth 
the  audiied  site,  I  c}  having  knowledgeable  perEoimei  from  me 
audiied  site  iiHHiuoniig  all  tesbng,  i  d  i  testing  me  tools  that  will 
be  tised  and  gaiiiir^  eipertise  in  then:  use,  i  e  i  loacmc  lesr. 
patameiers.  (f)log^iiglestliigaiUlresiiita.  <i!mi'<iii!>  lu-iwurK 
anBlyzerstomomtorioadsplBcedon  thpnctworKduniis  tcsiiii^ 
and  (h  I  perfbrmmg  testing  dmii^  nonrefiK  iioiii's.  ii  r^ossiQie. 


include  infonuation  rtlout  such  ilerns  lis  (lie  orilanization's  ran) 
of  Internet  Protocol  addresses  and  telephone  mimbeis 
QHrticinariv  sensitive  nunioeis  uiai  siiouid  be  excluded  from 
tesUngi.  anaioa  leienhone  lines,  wirpiess  fionneeiions.  iniemei 
access  paths,  doucicb  gm'eming  user  accounts  and  passwords, 

might  also  be  addressed 


2.L9.G  Service  O^anizalions 


procedures  perfoniied  in  support  of  crilical  element  SM-7  "Ensure 
"Hiat  Activities  Pecfomied  bv  Bxteinal  Third  Parties  are  Adequatelv 
Secure  ,  For  exami^  the  auditor  snouid  determine  bow 


controls  are  peifoimeo  bv  service  orgamzauons.  me  audiior  should 
documem  conciuakNe  whether  sucn  conttols  sxe  s^nificani  to  the 
audit  otaeclivea  and  anv  audit  procedures  perfOTmed  with  resjiect  to 


should: 

■  evaluate  whether  the  description  of  the  service  orgaiuzaiion  s 
system  and,  for  ^e  2  reports,  the  service  auditors  descnpuon 
ik  tests  of  contnds  and  results  thereof,  is  as  of  a  date  or  for  a 
peilod  that  is  ^tpropdate  for  the  user  auditor's  purposes; 

•  evEduate  the  suEBciency  and  miropnateneea  of  tne  evmence 
provided  for  the  understanding  of  internal  control  relevant  to  the 
audit; 

•  evEduatenfietherthespecificteslaofconlrol&perfbrmedlQ'the 
service  auditor  and  the  resolts  thereof  aa  described  in  the  lype  2 


r^rt  are  televant  lo  assertions  in  the  as«r  enbivB  financial 

determine  whether  cxiD:^>lemen1ary  user  enti^  controls  identified 
by  Ave  service  organization  are  relevant  to  the  user  entity  and,  if 
so,  obtain  an  undeislanding  of  trtiether  the  user  enbtv  has 
designed  and  implemented  Eudk  cxHitrols  and  teet  such  controls. 


2.1.eJ!  Usiiigthe  Work  of  Othi^ts 


kof 

spci  i.ilk-^.  ifir,  -f,.,iil,l..l;i.,ir,  .111  jir;;  1 .1  .,1  „  liiisi ,  ,1  I  In- i|ualificalions 
Lj    1    0  for 

m   p  t,d  >,  k  f  tl 

Evaluating  the  professional  quauncations  of  (he  specialist  Involves 
thefonowmg: 

a.     the  professional  certificatum,  license,  or  oHieriecogmtion  of 
the  competence  of  the  specialist  m  his  or  her  field,  as 
afipropnate: 


b.  ine  raDucaMai  ana  standing  oi  uic  specialist  m  Ote  views  oi 
peers  and  otheis  ftmUiar  wiflilhe  ^daltsf  s  c^iabiliO'  or 

c.  ine  specitdiGt's  e^nence  ana  DrenouE  work  m  uie  auluect 

d.  me  audttots  ntioi  eiqienence  In  u^ng  ine  Et'edallsts  wotk, 

nme  auditor  olana  lo  use  tbe  worit  oi  others^  me  Biidnorsnoma 
documeni  conauskms  Kaicenangme  olaimea  use  or  tne  worn  or 
oineis  fuia  any  audit  Dtoceaures  penonned  wiOi  respect  to  usu^ 
(lii!W(irkiil  <illi>?iN. 


2.1.9J  Audit  Plan 


]u.ii^i!iiinii  I'ni^iuifnkfrii.  uw  ;uiMir4irsiH>iiiM  iitiifkrniii'  siicii 
information,  as  ^propriate.  into  ttie  overall  audit  plan.  If  the  IS 
[niiiriDis  iiiiaii  m  >\  iri>iiiiii>iicni  oi  a  luiaiii'iiii  aiiiur,  uii:  auiiiuu'  snouio 
iniiFunuL^siirn  inioFTniuioii.  tis  ainhninnauF.  wiin  irii^oviFnui  twKm 
hi.niLeifu  niui  jiiLiti,  [iifiii  ii>r  uii}  iiiuinriiu  imiiiu  /uiiiiuoriaiiv.  iiie 
audlioi generally  snould  use  me  la  controls  audit  clan  as  atooi  la 
riHiiiiiiiriii^iiiif  Willi  i.noaiiiiii.  i^iiirii.  ii  ini;  iiiiriiuir  ikmii^vim  imii, 
anotiier  auoiiorwill  use  his  orner  work,  me  audiiormay  use  me 
clan  to  coordinate  wlch  me  ocner  audHiir, 

in  planning  me  audit,  tne  auditor  generally  wlllllist  assess  the 
enectlveness  or  enOtywlae  and  system  level  Heneral  conrrois  onor 
1^1  ii?;iirii:  iMisiiKish  imiiM'Kis  juiniK'iii.iiiii  ii'Vfii  roiii.niih.  iiriii'.>^h  irii' 
puipose  of  the  audit  is  lo  identify  control  weafaiessps  in  the 


eiiti<iLivt'iv.  i.iie  aiiiiiN>i'  iiiiiv  ir<iri<iiih]e  i.hai.jiHstvffiiiii  r>iis]iitw 
process  appiicanon  level  controls  is  not  eMclent  or  necessaty  to 
achieve  tne  audit  ooiectives.  in  such  cases,  tne  audiiorsnouia 


develop  apprapnaCe  lindoigs  and  consider  the  nature  and  extent  of 
ilsks  and  theli  effect  on  the  audit  otOectlves  and  the  natui«,  timing, 
and  extent  of  Budn  procednres.  However,  it  an  audiL  objecQve  is  10 
IdentlQ'  control  weaknesses  wlthm  a  business  process  anphcation. 
an  assessment  of  the  business  process  appUcanon  level  controls 
wouidtieappropnate.  Also,  testing  of  business  process  ^iplication 
level  controls  may  be  warranted  when  the  auditor  finds  general 
control  weaknesses  maiiuv  mnreas  i^iiiia  rpiniuci 


2.1.10  Documentation  of  Planmng  Phase 

Itie  auditor  snould  document  the  foUonlng  InfOimatlon  developed 
m  the  planning  phase: 

irt  of  a  broader 

audii,  a  desenplion  of  how  siicii  oii  ieciives  siiiinort  die  overall 
audit  obiectives. 
.  HiescopeofthelScimtrolsaudit. 

•  Hie  aoditors  understanding  of  the  enntirs  operations  and  key 
bosines  processes,  including;  Lo  the  extern  retevant  to  the  audit 
otileclives,  the  foBowing: 

•  The  signiGcance  and  nature  of  the  programs  and  fiinctionG 

sigiported  bv  mfomiaUon  systems; 
■        business  processes  relevant  ro  the  audit  ottjectiveSr 

iDciDdmg  busmess  rules.  liansacliiHi  flows,  and  qqplicaliiHk 

and  software  module  interaction; 


.  fiignificanl  gentral  suiiyorl  systems  and  maiot  ^phcations 

•  Background  mfomiation  requeM,  U  used; 

•  &gmficant  internal  and  external  factors  that  could  affect  the 
IS  controls  audit  objectives; 

•  Det^ledor;anizati(in<diar1^parliciiIarlythelTand(helS 
corr^ionent^ 

■  ^gmOcant  changes  m  the  IT  oivironmait^rchitecture  or 
swiificant  ^iphcations  inqilemented  wiflun  the  past  2  years 
w  planned  within  tbe  riexl  2  years;  and 

•  The  entjty's  rehance  cm  tlord  parties  to  provide  TT  services 
(e^,,  uv^house,  remote  connectiviQ',  remote  processing> 

•  A  general  underBtandin?  ol"  the  stmctuic  of  the  entity's  or 

•  Key  areas  of  audit  interest,  includiiu;  relevant  general  support 
Ejslems  and  m^i  apphcalions  and  fiks.  This  includes  (1)  the 
qieratuHiallocHtionBof  each  ker^slem  or  file,  fSJ  significant 
con^HHieats  of  the  associated  hardware  aDd  software  (&g,, 
firewalls,  routeia,  hosts,  i^)eratmg  systems),  ^ofliersignificant 
systene  or  svst«in-level  resources  that  sipport  the  key  areas  of 
audit  mlerest.  and  (4)  pnor  audit  probleme  rqiorled.  Also,  the 
auditor  ahouid  document  aU  access  paths  in  and  out  of  tfte  key 

•  Factors  that  signUlcantly  Increase  or  decrease  IS  risk  and  their 
poleraial  impart  on  the  effectiveness  of  infonnatlon  system 
foiirrols.  l  or  each  risk  idenUfied,  the  auditor  should  docoment 
(hi:  nature  and  c-iti.-nt  of  the  nak;  the  conditions  (hat  gave  rise  lo 
that  risk;  and  thr  specific  information  or  operations  affected  (if 


meffective  controls  at  me  eDlitywide  tevei  and  the  re^ed 

UenWcMan  of  bu^ness  process  level  controls  tot  kev 
qqilicabons  identafied  he  Imy  areas  of  audrt  interest, 
detenranaaoo  of  iriiere  Ihoae  conliols  are  unplemented 
(placed  In  operation)  within  the  entity's  systems,  and  the 
audlloi's  conclusion  about  idiether  the  controls  are  deigned 
eSecQvely.  including  identilicatiDn  of  control  activities  Ibr 


Riions  planned  to  address 


Documenlfid  risk  assessments  for  relevant  systems  (e.g., 
general  siqiport  systems  and  m^iBr  ^Ikatfons); 


I  Documented  business  conUnuitv  of  opeiaUons  plans  and 


ITES  to  consider  the  risk  of 
'.  auditoc  believes  could  affect 
iriii  proceduKS  to  detect  any 


Guirent  mukiyear  testing  plans- 
Docum^tatlon  of  communications  y/tSx  er 
If  IS  controls  are  performed  br  service  orgf 
c<Hic1usions  ^rtietber  such  controls  are  eji^i 
otiJectlTesandanyaudit  procedure  pc  rfiii- 
fiuch  controls  (e.g..  revicv  111  sciA  ir  c  ;iuriiN 

If  the  auditor  plans  to  us<>  liu'  uom  i>i  i  

concenang  the  planned  use  oi  i(n' ■.^  r.ii.  ii 

Audit  plan  (and  for  financial  audits,  audit  si 
adequately  descnbes  the  obicctivcs.  scope. 

Any  decision  to  reduce  testing  of  la  control 
identification  of  significant  la  control  weak 


2,2  Perform  Informalion  System  Controls  Audit  Tests 


2.2.1  Overview 


le  16  controls  audit,  the  auditor  uses 
1  obtBinedm  me  plamui^  phase  Lo  teat  me  effecliveneB 
□I  la  controls  that  are  leievani  lo  me  audit  olnectiT«s.  As  audit 
evidence  IS  obtained  through  peiftimili^  control  resting,  the  aoditc 
Bbould  reas9efiB  tbe  audit  plan  and  <xmBideT  wtiemer  changes  am 


wniii-  upii^niiiiiinu  ivni'Uiitr  i: 


As  discussed  in  Chapter  1,  this  manual  is  organized  in  a  hierarchical 
structure  lo  assise  me  audicormperfomungme  i&ccoitrois  audiL 
Chapter  tt  provides  information  concerning  me  general  controls,  and 
Oiapter  4  inovides  mfbim^ion  concerning  tour  business  process 
^jiiiciUioo  level  cialiois.  Each  oi  the  ch^iers  coolafeis  several 
coDtroi  categories,  trtuch  are  groiqnnga  oi  related  controls 
pertaining  to  similar  typts  oi  ask.  For  each  control  category,  tins 
iiiuiiuui  OL'ji.^iLSSia  Liii'  Koy  uiiul.TiviiiKCiincitriiMimu  iiMwii'iuivu  thkv 
iC  the  controls  mtne  categorv  are  meffectrve. 


Qiaptet  3  is  orgfuiized  by  five  general  control  categories: 


•  secutiQ'inan^^enienC, 

•  Bcceas  ciaitrols, 

•  cfflifiguFBJlon  maoagemenl 

•  segregation  of  duties,  and 

•  cxmtingency  plsnrung. 


•  i>UsSiiii?A  i>iiii'i'hH  rjijkiLcaiJLiji  iL'biN  iLi'iLrini  riMiLii>i^"'iHiLsi'> 
reierred  Ki  as  aopucaaon  secunly ). 

•  boBiness  process  contiols, 

•  interlace  and  conversion  conlrolB,  and 

•  data  manftgemeni  systems  controls. 

Hie  last  three  business  process  question  leeei  control  categories 
are  collectively  referred  to  herein  as  "business  process  i^ncBtion 


crilical  elements,  tliey  are  Rencrally  if  lc\-.mt  to  ii  GAGAS  audit 
unless  the  related  control  calegoij  is  not  relevant,  the  audit  scope  is 
Smited,  or  the  auditor  deteiinlnes  that,  doe  to  significant  IS  control 
"weaknesses,  It  15  noL  necessary  ro  asses  tne  effectiveness  m  all 


relevant  IS  controls.  Wittiin  each  relevant  control  activity,  the 
tiuditor  should  Identuy  control  techniques  implemented  by  the 
entiiv  and  deteimine  whether  the  control  teohmques,  as  designed, 
are  sufficient  to  achieve  the  control  activity,  considering  IS  risk  and 
the  audit  obiecUves,  The  auditor  may  be  able  to  determine  whether 
cmtrol  tediniqufs  are  sufficient  to  achieve  a  particulaT  control 
activilv  without  evaluating  and  testis  all  of  the  control  techniques. 
Also,  depending  on  IS  risk  and  the  autUl  objectives,  ihe  nature  and 
extent  of  control  techniques  necessary  to  achieve  a  particular 
control  objective  will  vaiy. 

As  discussed  in  Qiapter  1,  the  FiSt^^AM  lists  specific  control 
activities  and  techniques  and  related  suggested  audit  procedures. 
These  are  descrihed  at  a  high  level  andassume  some  level  of 
e^^ertise  foran  auditor  to  perform  these  audit  procedures 
efleetiveiy.  Aecotdingb',  the  auditor,  applyii^  judgment,  ^ould 
develop  more  delated  audit  sEeps  and  tailor  control  activities  based 
on  the  specific  software  and  control  techniques  employed  hy  the 
entIO',  the  audit  ot^ecdves,  and  ^gniHcant  areas  of  audit  Interest. 
Further,  the  auditor  is  responsible  for  identdying  any  necessary 
changes  to  IS  control-related  criteria,  including  changes  to  control 
activities  and  techniques,  based  on  publications  issued  after 
December  ZOOS,  Future  iqidates  to  the  FISCAM,  including  any 
in^lementahon  toolsand  related  materials,  will  be  posted  to  the 
FISCAM  website  at  http://www.gao.gov/sperial.pubsfiscain.html 

Abo,  the  auditor  should  evaluate  the  nature  and  extent  of  testing 
performed  by  the  entily.  Such  information  can  assist  in  idendfelng 
key  controls  and  in  assessing  risk,  but  the  auditor  should  not  rely  on 
tastmKpetfOiined  by  the  entily  in  lieu  of  appropriate  auditor  tesUi^ 

As  discussed  later  in  this  section,  if  the  control  techniques 
m^emented  by  the  entity,  as  designed,  are  not  sufficient  to  address 
the  control  activity,  or  the  control  techniques  are  not  effectively 
nuplemented  as  designed,  the  auditor  should  determme  the  effect 
on  IS  controb  andihe  audit  objecdves. 


Hie  auditor  identiSes  conltol  teduaiiles  and  detennineE  the 
effecttveness  of  controls  at  each  of  the  following  levels; 


 .  ,  aLCortrolsatthe 

entl^  or  con^Kment  level  con^  of 
congirsieiitwide  processes  deaigoed  to  achieve  the  control 
activitiea.  They  are  focused  on  how  the  entity  or  con^xment 
manages  IS  rdated  to  each  general  control  activl^  In  Chapter  3. 
For  esao^le,  the  entity  or  component  may  have  an  enli^wide 
process  for  conBgurafion  management^  including  establishment 
of  Bccountabili^  and  responsibility  for  configuration 
management,  bioad  policies  and  procedures,  development  and 
implementation  afmonitonngprogiams,  and  possibly  centralized 
configuration  management  tools.  The  absence  of  «itjtywide 
processes       be  a  root  cause  of  weak  or  inconsistent  conliols? 
'or  eicaraple,  by  Increa^ng  the  risk  that  IS  controls  are  not 


ir  nianagmg  specinc  system  resources 
related  to  either  a  general  support  system  or  major  application. 
Ihese  controls  are  more  specific  than  those  at  the  entity  or 
ciai^iooent  level  and  generally  relate  to  asit^e^pe  of 
technology.  Within  the  system  level  are  three  furOier  levels  thai 
tl>e  auditor  should  assess:  network,  opeiadng  ^stem,  and 
infrasliDi^ure  appUcatton.  Hie  tliree  sublevels  can  be  defined  as 
follows: 

•   AfelWOTft.  AnetworkiSEiTiiiiti'n.-oniHTi(>tl  or  miiTici  niis 


software  that  is  used  to  assist  m  performing  svsiems 
opeiaHons,  inchidlng  managentent  of  networic  devices.  These 
plications  inchide  databases,  e^mail.  browsers,  phig-ms, 


ubUies,  and  ^ipbcations  not  directly  relfited  to  budness 
Ivoc«sses.  For  example,  infrastructure  ^pbcations  alon 
iMMiiiEkii'  [MVH'i'SHi?;  rijiiiiiiiu  ihiHkiHMki'  [niin'  nuvnirKiK  ui 


process  applicaUon  level  consist  oi  poucies  ana  procedures  for 
cmtrollli^  SDedflc  budnessprcM^esses,  Fat  exaiople,  the  enUly 
cmfigurBtiDn  manfigement  Ghouid  reasonably  ensure  Ifaat  all 
changes  lo  apphc&tion  systems  are  fully  tesied  and  aumonzed. 

CSiapter  3  includes  Beiieral  control  activities  that  are  applicable  to 
the  enb^^de  ano  svsKTn  icvcjs.  ;uia  L.jiaoicr  4  mciucics  tnc  gcner; 
0  tiols  p 


leciuuqiies  and  reiaied  suggestea  aunit  procedurts.  Table 
the  ctmtrol  categories  ^hcahie  at  each  level. 


crilical  control  point  The  audtlcir  should  evaluate  potendal  ways 
In  irtdch  the  ciltlcal  control  point  could  be  accessed,  tieneially,  fOr 
e9ch  critical  control  poiat^  tius  would  include  assessing  controls 


related  to  tbe  netwoilE,  operating  svstem.  and  mfraslnicture 

s.  For  evample,  If  a  particular  router  was 
point,  the  audiloi  generally  should 


•  the  orgamzationBl  entities  to  be  addressed  (e.g..  entitywide, 
selected  coinponent(s),  etc.l; 

•  the  breadth  of  tbe  audit  (e.g..  overaU  condnsion  on  IS  control 
etfectr/eness,  review  ot  a  specific  application  or  technology  area. 


activities  ia  Ch^4eis  3  and  4  are  genetally  lelevant  to  all  audits. 
Honever,  if  the  auditor  s  not  perfomung  a  comprehensive  audit, 
for  example,  an  qiplication  review^  then  there  may  be  no  need  to 
assess  controls  in  Ch^ter  3. 
•  For  ea<di  relevant  IS  control  techimiue.  detemune  >riwlherit  i3 
sunHDiy  oeaignea  lo  acnieve  me  crmcai  Bcuvny  aca  nas  oeen 
*    '         '  — placedtnopei3tlon(1fiiotdoneearUei]. 


•  Ferfomi  tests  to  (letermine  whether  suth  Mntrol  technitiij 

•  Identic  potential  weaknesses  in  IS  controls.  For  each  pol 
weakness,  consider  the  inqxict  of  compensating  controls  i 
fiirtnrp  thai  mrtiirali^  or  rpiliicp  th*i  riskp  ri'latpd  to  mti'ntii 


infomHtionproi 
arvsuniiK.'jini,  ii 


le  and  ttne  ot  records  aim  source  ooci 
issinj!  invuiviKi  iniiii  mo  inii.imi 
i  Dioces^i%  including  the  nature  ot  CO] 
ler  in  ntndi  uiei  are  accessed,  iqidateu. 


jnin  nnncj^LTuminp.  nuiin^f  on  jiuojjitnLion  rhnnunen  ni  nnnii  ninniunr. 


ns  that  aie  significant  to  the  a 


m  ijie  i:^  iiunii.  in  ui 


Directives  and  audit  scope,  the  extent  of  IS  risk  and  the  pfeliminaiy 
nndeislanduig  of  IS  controls,  Ihe  process  for  idend^ing  relevant 
coDtrol  techniqiies  is  summarized  tielow. 

For  IS  audits  ttiat  are  stand  alone  GAGAS  audits,  geneialli' all  <tf  the 
coDtrdl  categories,  criQcal  elements,  and  control  BCIMIies  are 
relevant  to  the  audit  objectives,  nnless  specifically  not  part  of  the 
audit  objectives.  For  exan^le,  in  an  evaluation  of  the  eftecQvenea? 
of  business  process  controls  in  a  specific  application,  Che  general 
cnnlmlfi  in  Ch™tcr  !t  mm  or  mm  nil  he  nnri  of  Ihr  nuilil  ohiPCtives. 

At  oie  eninvwme  levej  ana  lor  eacn  cnucai  comroi  oomi  Onehidtag 
control  dependencies)  at  the  si^item  and  business  process 
]ir>TMic;]i.ii>[i  K^i'is.  uu;  jiinnKirsitoiJi'i  luoiiiiiv  jiiui  iTcjniihi'iii.  i.nc 
roniriM  ixii'nitHiiJc^s  iist'M  iiv  ini;  K\tmi\  iii  Jii^iiii'vc  cjii'ii  ii'ii'Vfihi. 
conlKiL  acuvitv.  For  puiposes  or  umsltauon,  iisina  the  e>aiiinip  oi 

2.1.7),  Ihe  auditor  would  itientifc'  and  docmiicirt  the  roittrol 


II  I 


cindudmg  control  dqiendencies  I  at  system  and  busmesa 
process  appucation  levels.  For  esampie.  if  the  IS  control  H  tne 


Kvlew  of  an  excepoon  nport,  the  auditor  should  identify  and  test 
Ihe  buoness  procees  ^phcalion  controls  directly  related  lo  the 
production  of  the  excqition  report,  as  well  as  the  general  and  other 
buauieaa  process  ^plication  controls  upon  whSch  the  reliabtBly  of 
the  mfoimalion  in  the  exception  lepoit  depends,  including  the 
proper  functioning  of  the  business  process  application  that 
generated  the  exception  report  and  the  reliabihtvof  thedalausedto 
generate  the  exception  report.  In  addition,  the  auditor  should  test 
Ihe  eSectiveness  of  uie  usercontrolii.e-.nuuiagemenl  review  and 
folowifl)  on  the  items  m  tne  exception  report). 

Fof  each  relevant  lb  control  technique,  Uie  audltoi  should  deteimliK 
whettter  It  IS  (1)  designed  effectrvely  lo  achieie  fits  related  control 
BclauKV.  considering  la  risk  and  the  audit  obiectives.  and  i^2) 
mqilemented  (placed  in  operation).  The  audicor  mav  be  able  co 
deteirrJne  whether  control  techniques  are  sufficient  to  achieve  a 
particular  control  acimtv  without  evaluating  and  testing  all  of  the 


For  efiiciencv.  the  auditor  may  m^ilement  a  tiered  ^proach  to  the 
identlfiiation  and  evaluation  of  Bie  design  eSectiveneas  of  relevant 


IS  control  leduiiiiues,  as  discussed  later  in  this  aessioti,  begintnng 
nilh  entilywide  level  conliols,  folloned  by  ostein  level  controls, 
then  by  buaiiEss  process  ^plication  level  controls. 

.^ipendlces  n  and  nt  may  be  used  to  Identity  and  summaiize 
relevant  IS  controls  at  the  enli^wide,  systerr^  and  butaness  process 
^jiliculion  levels. 

Tarn:  TnfnmiMiiiiii  Svstwn  Cnntrnla 

The  auditoi  should  dedgi  and  conduct  tests  of  relevant  control 
lechnkiues  that  are  efFectiie  in  de^gn  to  detennine  their 
effectiveness  in  operatkRi. 

It  Is  geneiaUy  more  efficient  tor  the  auditor  to  cest  IS  controls  on  a 
tiered  basis,  starting  with  the  general  controls  at  the  entitywide  and 
system  levels,  followed  1^  the  general  controls  at  the  business 
process  applicaUtai  level,  and  concluding  with  tests  of  business 
process  application.  Interface,  and  data  management  system 
controls  at  the  biBtness  process  plication  level  Such  a  testing 
strategy  may  be  used  becaiee  Ineffective  IS  controls  at  eadi  tier 
geneiaUy  preclude  efiecttve  ctHitroh  at  the  subsequent  tier, 

Ifthe  auditor  identnfies  IS  controls  for  Icsting,  the  auditor  diould 
evaluate  the  effectiveness  of 

•  getieralcontiolsattheeniii;\viilp;iTi(lsvsiem  level; 

•  general  controls  at  the  business  process  opplication  level;  and 

•  spedflc  business  process  appUcation  controls  (business  process 
controls,  interface  controls,  data  man^ement  system  controls), 
and/or  user  controls,  urdess  the  IS  controls  ttiat  achieve  the 
control  objectives  are  genera]  controls. 

Itie  auditor  should  determine  whether  entitywide  and  system  level 
general  controls  are  effectively  designed,  irrgilemented,  and 
operating  effectively  by 

•  identi^rlng  ^ipGcable  general  control^ 

•  deteimMlng  how  those  conttols  ttaiction,  and  nliether  they  have 
been  placed  in  <^}eratior^  and 

•  evalualingandtestingtheeflectivenessoflheidenlifiedcontrols. 


Hie  auditor  snoiud  document  me  mtdetstandme  of  goieial  controls 
and  Ehould  catclnde  wheOter  sudi  controls  are  e&ectiveiv  oes^ned, 
placed  m  operaljon,  and,  mruiose  controls  icsted,  ODemungas 

Baaed  on  ine  results  ot  the  lu  contniis  auoit  tests,  tiif  auditor  snouid 
detemnnewhetJiertne  control  techniqueB  are  uDcratma  piiettivciv 
to  adiieve  the  control  apHvities.  Controls  thai  arp  iiol  propprly 
desisncd  to  jchiere  the  control  activities  or  tliat  ar:-  not  opciatins 


Tests  qfGmmilCirBirols  at  the  ErUil^/iiiide  mid  SyBlemleii^ 

Hie  auditor       test  general  controls  thiou^  a  cranbination  of 
procedures,  including  observatitH^  inquiry,  inflection  (triudk 
includes  a  review  of  documenlatioii  on  systems  and  procedures), 
and  lepeif omiance  UEdng  ^lopiiate  test  software.  Although 
sanqilingis  generally  not  usedto  teat  general  controls,  the  auditor 
ma;  lEe  ^mpling  to  lest  certmn  controls,  such  as  those  involving 


If  general  controls  at  the  aititynlde  and  system  levels  are  not 
effectively  designed  and  operating  as  intended,  the  auditor  win 
geiteiaUy  be  unable  to  ob^  satlsfactkHi  tiiat  bu^itess  process 
^llcaHon-level  controls  are  effective.  In  sudi  instances,  the 


auditor  should  (1)  detetmine  and  docrnnent  the  nature  and  extent  of 
nslis  resulting  fcom  ineftediie  goteial  controls  and  0)  identic  and 
test  any  manual  ccaitJDls  tiiat  achieve  the  control  o^jecliveB  that  the 
IS  controls  weie  to  achieve. 

However,  ]f  manu^  controls  do  not  achieve  the  control  olyectives, 
the  auditor  should  detemune  whether  any  specilic  IS  controb  are 
designed  to  achieve  the  ol^ectives.  If  not,  the  auditor  should 
develop  appropriate  finding  prineipally  to  provide 
recorainendations  to  improve  internal  control  If  qwciOc  IS  contiols 
are  designed  to  achieve  tlie  ohjectives,  but  are  infect  ineffective 
because  of  poor  general  condols,  testing  would  typically  not  be 
neccssarv,  except  to  support  fuidings. 


ine  lb  controls  specialist  should 
s  resulting  from  meft^ctive 
.  ineaudltorsnouMdeteimlne 


man^^ememi.  ano  v^er  cuniroid  neceasdjy  lo  Eichievc  me  control 
oloecCrveE  where  uie  enb^wide.  system,  and  qiphCHtion-ievei 
general  controls  were  determined  to  be  effective. 


If  IS  conttola  are  not  Ukely  to 


It  tljp  .lutliloi  (lel^niiiiipd  ui  a  pnoi  ye.i]'  lhat  nMi  rjL=,  ui  a  [lanicuiar 
accounting  aopiicalion  were  meffectlve  ana  it  management 
inCHcaCes  thai  contrals  have  not  signlflcantly  Improved,  the  auditor 
need  not  teat  them. 


Obseivation  of  the  operalion  of  controls  can  be  a  reliable  source 
UI  eviaoiicc^.  i-ui  exainpjo,  uie  uuuiujr  nuiy  uu^i4vl.'  uic 
verillcationofedltchecksand password  controls.  However, 
otiservatlon  provides  evidence  about  controls  only  when  the 


auauor  was  present.  The  auditorneeds  other  evioence  to  be 
Siibsfied  controls  functioned  tne  same  nay  ttuou^ut  me 

Hie  auditor  may  review  docmnentation  oi  conlmi  pouces  ana 
[}nir^iMMnw.  p■>^lfx»^lllM(^  ini!  immv  rruiv  wivi}  wnuifri  iif minims 
regarding  confktentiidlty  or  logical  access.  Bevlev  oi  documents 
will  uiiiiw  [lie  iiuuiiun!  to  unueisiuiiiu  iinu  ansini  ine  ucsiun  or 


.  Reperfomianceofthe  control  could  til- used  10  tcsl  tlir 

I'liiiriivi^iii'ss  111  SI  Hill'  nroiu^jiiiiiii'ii  c'4iiiii'i>is  iiv  iv/iiuMviiik!  iiii' 
ronuoj  mtuniui  me  use  oi  kh  (kiu.  i'ui  exjniuie,  uie  iiuuiu>i 
could  prepare  a£le  ot  transactions  that  contains  hnonn  errors 
IU1II  iieitmiimiF  ii  UKNUiiiiuiJii.iiin  siii^iiimhiiiiiv  <iiii>LiiniKaiiii 
reports  ttie  known  emas. 

m  assessing  me  ooeratmg  erreeliveneBS  oi  la  contrds,  ine  auditor 
may  deCemilne  that  ii  Is  ^ipropdate  u>  attempt  to  gidn  access  to 
Identified  kev  systems  (e.g..  vulneiablllty  assessments  or 
penetration  tests  i.  uonaioeration  shouia  be  given  lo  oerfonning  tius 

upgrade  occois.  i^s i  m^i  changes  aie  made  to  toe  envlimuneot  me 
system  operates,  ana  L  a  I  serious  weaknesses  ai«  laentified  that  mav 


tt^iact  the  s:/stem.  See  NISt  SF  SOO^SA,  j^endix  0  lOr  fOr^ 
guidance  on  penetrabm  testuig,  in  peif  oonii^  ttus  lesbi^  ii  is 
mqxirtantlhaf  me  BiidiLorand  entity  manHgemenL  hare  a  cxHninon 
qndeislanding  oi  the  type  or  tesis  to  oe  perfoimed,  scope  oi  the 
tests,  and  the  ilsks  Involved  in  peifomilng  this  teEting,  See  SU-o  io> 
limner nxiriiNHKiii  i>i  viiiiierniiiiii.v nt«M«ineiiiiiniiii siiri.Kiii z.\.v.i: 


I  cne  effecQveness  or  entitvwide  and  Gecimty 
4  in  ivit!!unuuiviiwitinn(!  uiai  i»  vuntti}f!i 
J  iiiiiiiiti  irif  leievaiii.  iipniHi. 


iiivnijresiiiav  iiiriiiKie 
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achieving  uie  relateu  cmlioi  obiectives,  me  location  ot  tbe  netnor 
component  m  Telation  lo  uie  Kev  areas  itf  audit  Interest,  and  Oie 
ezlera  oi  coraiBtencv  m  me  conSguralmi  oi  me  ctanponenla. 


of  Control  Testing  Phase 


•  An  mdetstandinacf  the  liifOmiatknsysteiits  that  aie  relevant  to 
ttie  audit  olyectives 

•  IS  Control  aclitities  relevant  to  the  audit  ohjeclires 

.  By  level  Ce4.,enaiywlde,By5teni,l)u™ieas  process  ^pUcation) 
and  ^stem  sublevel  (e.g.,  netvodc,  operatb^  system, 
inttastuKtuie  applications),  a  desci^on  of  control  techniques 
used  by  the  enb^  lo  adueve  the  relevant  IS  contrd  olqectives 
and  BclJvittEa 

•  By  level  and  sublevel,  ^dfic  tests  performed,  Includli^ 
<    related  documentation  that  describes  the  nature,  timing,  and 

extent  of  Oietesl^ 

evidence  of  the  eHective  operatioiiofthe  control  tediniqiies 
or  lack  thpreol  le.g.,  memos  describing procedmts  and 
results,  output  of  tools  and  related  analysis^ 
It  a  rontrot  is  not  achieved,  any  con^jensating  controls  or 
other  fautoiBiind  the  basis  Ibr  deteiminlug  whether  th^  are 
effective: 


^ipendices  n  and  IE  may  be  used  to  suminanie  the  results  of 


2.3  Report  Audit  Results 


For  each  cnQcal  eiemeni.  me  auditor  should  make  a  smomary 
delemiiiiatioii  as  to  ntiethSF  the  cnUcal  element  is  achieved, 
considering  entilywlde.  system,  and  bnsmess  process  ^pHcaOon 
levels  conectivelv.  Hie  auditor  snoiiid  evaloate  me  effeci  of  related 
nnderlymg  control  activihes  thai  are  not  achieved,  in  auaihon. 

IhJISl'd  OtI  IMI'IIPIIICII  WI'tlKlh'.S.SI'S.  rih'  iHlUllirl  SnillllU  Ili'IC'lllllltlMltl' 


iJenlifiedbytheauditwere 

uliiiiiiM.   '.Ill' ..i'i!insofAc(lonandHlles«ones(l>OA&Ms) 

<>]  m;          i.   ij  not.theaadJtorgeneiaUyshouldatteixpt 

ID  ik'U  I  iiiiiii'  'Ul'^  iiii'v  were  notidentiGedbythe  enlily  as 
appiwjjiBli.- uiiil  rcporuvpaknesses  In  the  reporting  process. 

Also,  the  auditor  ^ould  evaluate  vrtiether  the  aggregate 
CDinbiiuiaon  of  weaknesses  cotdd  result  in  unauthorized  access  to 


Ik!  mf  Ji[>imri)ri!]i4f  i<iiiiirijiii;  iir 
audits  and  att«9tabon  engagen 
lie  louowliig  sections. 


an  enample  of  a  simplified  iielwork  seheniaUe  annolaled ' 
-weakneses  related  to  kev  system  componenlG. 


dt^buisement  ^istem.  If  conqiensatuig  controls  oi  other  tfictois  are 
present,  Che  auditor  snouM  document  sucn  controls  or  t^ctots.  test 
them  ^propnately  Lo  determine  whetiierthey  effectively  mitigate 
the  fdentffied  la  control  weaknesses,  and  dtarr  conclusions  about 
the  nature  and  extent  of  the  risks  that  remain  after  consldeilnESUch 


wum  gouemance.  and  cnose  requeslmg  the  audir  and  (2 1  ciearly 
report  suchlmutaQona  on  the  conclu^ms  in  the  audit  report.  For 
exanqile.  in  iqwrting  on  an  audit  of  an  opeiatiiw  systm,  the  auditor 
may  deteimine  that  it  ib  ^ipFO|ffiate  to  clearly  report  that  the  scops 
of  the  assessment  was  hmited  to  the  opeialnng  system  and  tbat, 
consequently .  addMonal  IS  control  weaknesses  may  ^dst  that  could 
in:^}act  the  efiectivenesa  of  IS  controls  related  to  the  operating 
system  and  to  lite  entity  as  a  t^le. 

Hie  auditor  should  eiqiress  Out  effect  of  identified  IS  control 
weaknesses  In  terms  of  the  audit  ot^jeclives.  The  fbllowti^  sections 
provide  guidelines  for  assessit^  IS  controls  in  financial  and 
peifoimance  audits.  For  finandal  audits  and  attestation 
ei^agemenls,  GAGAS  slates  that  auditors  should  report  material 
weaknesses  and  other  significant  deficiencies. 


2.3.1  Financial  Audits  and  Ai 


IS  control  weaknesses, 
Indmaually  oc  m  me  a^regaie,  consutute  a  s^nlflcant  deficiency  or 
niaierial  weakness  in  financial  leporOi^  Hie  auditor  sboold 
coordmaie  mese  procedures  vntbme  oveiall  audit  team.  For 
flnandal  audits,  GAGAS  and  0MB  Circular  A-123  state  that  a  conttol 
deficiency  esosts  ii*e!iine  design  or  operation  ot  a  crailrol  does  not 

oetiormbiH  uieur  assiffiea  runciions.  lo  prevent  ot  detect 
nu9stacemenisonaiinieivhasi9.  a  aeficiencv  in  design  eidsls  v^en 
ji  rikiiiiEii  pli'C'4'^^:m'v  hi  :irMirv4MM4M'4kMM'C]i  jii'mviiv  js  rnu^hiMiiiir 


that  IS  mora  Qian  mconseigKiitial'*  will  not  be  prevented  or 


:ieflciencv.  orcombinaUon  of 
more  than  »  remote 
t  ot  me  financial  statmenls 
I  ur  att«Eratlon  engagements) 


defifdency,  hat  coDtiniiesto  referto  itas  a  reportable  eondition. 

In  determining  niiether  IS  cxmlrol  deficiencies,  individually  or  in  the 
aggregate,  constitute  a  significant  defioiercy  or  material  weakness, 
the  auditor  should  evaluate  several  faclois,  uirludiiig  the  following: 

access  to  or  perform  unautlioilied  or  inappropriate  activities  on 
key  entity  systems  or  fdcB  that  could  affect  infoimation  ircorded 
in  the  financial  statements.  This  mi^t  include  1 1 1  the  ability  to 

(mcludmg  feeder  systems),  thereby  enabling  unauthonitd  users 

direcily  oi  (lirouahilie  uitroduction  ot  unauthorized  software; 
(i:;  tlu'abililv  lu  dii-1'i.'tly  access  and  itiodl^  files  containing 
fniaiK'uil  iiiturmatiun:  or  (3)  the  ability  to  assign  unauthoilzed 
application  user  ri^^ts,  thereby  entering  unauthorized 

•  the  nature  of  unauthorized  access  that  could  be  obtained  (e^, 
Imuted  to  system  or  q^hcatHaipFogrammers  or  system 
administrators;  all  auChotlzed  system  nseis;  or  anyone  Ihioi^ 


unauChonzed  exMmal  access  tlirough  the  IhtemetlJ  orme  nabm 
of  unaulhonzed  or  m^fOpiiaM  achniv  that  Could  be 

111;  'irillv.'illi'i'li'il. 

appbcalion  controls  would  pm-™uirili1i!^-i  s.u  li  mi.'mliuira'd 


access.  Generally,  if  the  effect 
depends  on  compuier  prcjc pss 
tltev  could  effectively  prevpni 
identified  IS  control  weakiic^^ 
Ijke  abihiv  lo  compromise  siici 
Ihe  nsk  (hat  InaIlage^leIl^  con 
tlirough  exceaave  access  nghi 


unlikely  tliat 
,5;  unless  the 
ably  reanll  in 


controL  In  euner  case,  cne  auditor  considers  whetJiermlemal 
cODtroI  IS  sufficient  to  meet  the  following  control  obiectives  inSD& 
as  those  ol^jectives  pertidn  to  pieventiiig  or  detecUng 
nuBstateiuealE,  losses,  or  nonconqibance  that  would  be  material  m 
relatKui  to  ine  snancial 


.  Beliabilily  of  financia]  repDrting — transactians  are  properly 
recorded,  pioceaaed,  and  summarized  to  peimit  Ihe  prepaialion 
of  the  finamna]  statements  and  supplemental  information  in 
accoiilance  withGenerallyAcceptHlAccounCiug  Principles 
(GAAP),  and  assets  are  safeguarded  against  loss  Irom 
imauthoiized-acquiBiHon,  use,  or  disposition, 

•  Compllanee  with  applicable  laws  and  regulations — (ransaetlons 
are  executed  in  accordance  with  laws  governing  the  use  of 
budget  authority;  ottier  laws  and  regulationsthat  could  have  a 
direct  and  material  effect  on  the  financial  statements  or  requhed 
supplementary  inlbrniation  <SSl)\  and  any  other  laws, 
regulations,  and  govemmentvilde  poKdes  identified  by  0MB  in 
its  audit  guidance. 

The  auditor  may  report  weaknesses  that  do  not  meet  the  chteria  for 
(dgniiicant  deSciendes  in  a  letter  to  management  or  orally  to  an 
TO)toptiate  level  of  the  entity.  The  auditor  may  Include  suggestions 
for  coireiitivc  action  fbr  these  less  s^nificaut  weaknesses  if  enoi^ 
isundeislood  about  their  cause.  (More  detailed  information  on  how 
and  whereto  report  control  wealmesses  lor  financial  statement 
audits  is  presented  in  sections  630.48  through  S3a.S2  of  the  FAM.;i 

Note  that  SAS IIS.  issued  in  October  2008,  n4uch  is  mcoFporated 
into  GAGAS,  revised  the  defimtioiB  of  material  weakness  and 
significant  deficiency  for  financial  audits.  The  SAS  is  effective  for 
audits  of  fmandal  statements  forperiixls  ending  on  or  after 
December  15, 2009.  The  revised  definitions  are  as  foUows; 

•  A  material  weakness  is  a  defldency,  or  combination  of 
defidencies,  in  internal  control,  suijithat  there  is  areasonable 
possibility  that  a  material  misstatement  of  the  enUQ^s  financial 
statements  will  not  be  pitvenled,  or  detected  and  corrected  on  a 
timely  basis. 

•  A  s^nificant  deficiency  is  a  deficiency,  or  a  combination  of 
deficiencies,  in  internal  control  that  is  less  severe  than  a  material 
weakness,  yet  important  enough  to  merit  attention  by  those 


Check  the  BTSCAM  website  tor  any  updates  at 
http:/Avww.gao.gov^edal.pulW5scam.html. 


.2  Petfonnance  Audits 


are  not  eftective  m  achieving  the  IS  cxintrol  ol^ectivES  relevant  tn 
live  audit)  and  communicate  Identlfled  weaknesses; 
■  hmit  reporting  to  ideatiGedweakneBBesmLhciut  providing  an 
overall  conclusion  (e.g.,  "based  on  our  woife  we  IdenUfled  the 


and  any  deficiencies  m  internal  control  that  are  siL^nificant  wrthiD 
the  context  ofthe  audit  otiieclives  and  based  upon  ihe  audit  work 
perfoiroed.  Detennining  whether  and  how  Ui  couiniutilcate  to 
officials  of  the  audited  enUty  mtemal  control  deficiencieB  that  have 
m  lnc<msequential  elCect  on  tlte  flnandal  statement  or  sutject 
matter  Is  a  matter  ot  piDfesskmal  Jnt^menl.  Auditors  should 
document  such  communications.  Ihe  auditor  may  report  such 


■  Hie  likelihood  that  an  individn^  could  obtam  unauthorized 
access  to  or  perform  unauttioiized  or  inapprt4)riale  activities  on 
key  enU^  ^^stems  or  files  that  could  atlect      areas  of  audit 
interest  This  might  include  (1)  the  abDi^  to  obtain  root  access  to 
^pstems  that  house      areas  of  audit  interest  (including 
aimporting  syslems),  thereby  enatiling  an  intruder  to  read,  add, 
delete,  ntodl^,  or  exfilCtate  data  either  directly  or  tfutnigh  the 
intniduction  of  unaulborized  softnar^  (2)  the  ability  to  directly 


access  and  tnodi^  fOes  related  to  tev  ai«as  of  audit  intereslj  or 
(9>  the  aoili^  lo  assign  unanttionzed  apphcation  user  n^ils, 
cnerebv  enabiuiL^  an  intruder  co  emer  unaumonzed  transactions 

ed(e* 

 ■  ill'..  ■  1;  \Mi'iii  ij'  r  innnwii 


Till'  likelihdoil  ihai  oiher  controls  including  business  piticess 
aoDiicauoii  ooiiitoLs  woiiia  prevent  or  aeieci  such  iinaulhoiized 
access,  Geneiallv.  ii  the  etfectivenesB  of  such  other  controls 
depends  on  con^niter  processed  mformation,  it  is  unlikely  that 
Ihev  could  effectively  prevent  or  detect  such  access,  unless  die 
MenUfled  IS  control  weaknesses  could  not  reasonably  insult  in 
cne  abiutv  to  compromise  such  ocner  controls. 


.3  Other  Audit  Reporting  Corsidcmtions 

It  is  important  to  report  IS  control  weaknesses  In  terms  that  are 
understandable  to  individuals       may  have  limited  expertise 
regarding  information  eystems  issoes.  In  this  regard,  the  auditor 
generally  should  define  technical  temis  and  avofdjargon  and 
nndefined  abbrevialionB  and  ac 


Auditors  shmuiS  develop  the  elemenls  of  the  findings  lo  the  extent 
nccessaiy  to  achieve  the  audit  oljiectives,  The  extent  to  which  the 
auditor  should  develop  the  elements  for  a  findiiig  (criteria, 
condition,  cause,  and  eOect)  depends  on  the  audit  objectives.  It 
aadilois  ate  able  to  sufficiently  develop  the  tindings,  they  should 
provide  reconunendationB  for  coirective  acdon  if  they  are 
Bigruticant  witiun  the  context  of  tJie  sudit  objectives. 

Criteria  desciitie  the  required  or  desired  state,  or  what  is  expected 
from  the  program  or  operatjon.  Ckindition  is  the  actual  situation. 
Cause  19  the  ^ctor  or  Actors  responsible  for  the  difference  between 
condition  and  cnteriB.  Effect  is  tbe  iirniact  of  the  difference  twtween 
the  condition  anu  the  criteria.  This  information  helps  senior 
mam^ement  understand  the  s^nificance  of  the  weakness  and 
develop  appropriate  correctiVB  actions.  For  most  types  of  IS  confiol 
weaknesses,  this  tuanual  includes  a  discussion  of  lisks  and  potential 
negative  ejects  thac  can  be  ad^ted  fbr  audit  repoits.  GAO  has 
Bsued  numerous  lepoits  that  can  be  used  as  models  for  reporting 
computer-related  weaknesses.  Current  IS  repoits  can  be  obtained 
from  GAG'S  report  database  on  GAO's  Web  site 
(http;ftwww.6ao,gov> 

In  manv  cases,  auditors  will  have  detailed  information  on  control 
weaknesses  that  is  too  technical  to  be  meaningFul  to  most  senior 
manners  and  other  users  of  tbe  audit  report,  but  m^  be  valuable  to 
the  entiivs  tei^imcal  staff  to  aid  in  undeistandir^  the  precise  cause 
of  the  weaknesses  and  ai  developing  corrective  actions.  The 
auditors  generallvsnould  provide  this  information  to  the  entity's 
techmcalsta^m  briefings.  The  auditor  ^ould  provide  information 
to  technical  stalT  tjiat  is  m  substance  the  same  as  that  reported  to 

The  auditor  shoulu  etfteOvely  eonununieate  the  results  of  an  IS 

reports.  This  serves  several  putpose^  including 

•  informing  the  audited  enti^  and  those  enlarged  with  governance 
of  control  weaknesses:  issues  of  noncompliance  with  laws, 
regulabons,  ana  provisions  of  contracts  or  grant  agreements;  and 
Inelances  of  fraud.  UlegaJ  acts,  or  abuse: 


.  providing  the  audiled  entity  with  recommendations  lo  correct 
such  control  weaknesses; 

•  piijviding  the  financial  or  perfotmance  auditor  an  underatandmg 
of  ttie  infoimation  s^stmis  control  environment  and  the  effects 
of  IT  on  the  processing  of  transactions; 

•  complying  with  legal  reporting  recrements;  and 

•  complyit^  with  auditing  standards^  inchiding  generally  accepted 
govemmenl  auditiiig  standards. 

However,  the  auditor  shonld  avoid  the  disclosure  of  sensitive  IS 
data.  An  individual  could  potential^  eompronuse  a  system  from  any 
location  in  the  world,  as  long  as  they  have  access  to  a  cnnqniter  and 
a  telephone  line  or  Internet  connection.  Technical  information 
rBscussed  inanaudit  report  could  potentially  as^st  individuals  hy 
Inducing  the  time  and  effort  to  obtain  unauthorized  access  and 
compromise  a  system.  Also,  toavolddisclostite  of  sensitive 
information,  the  auditor  ^ould  provide  draft  IS  reports  to  the  entity 
fora  sensitivity  review.  The  auditor  should  evaluate  entity 
setislCMQ'  concerns  and  make  appropilate  report  revisions, 
consdenng  legal  or  regulatory  requirements,  including  the  exercise 
of  information  classification  authori^. 

QeneraDy,  In  the  federal  environment,  either  one  report  with  limited 
SBttitmtion  or  two  reports,  one  of  whidx  has  Hmlted  dlstiibution, 

not  be  put  on  entity  Web  sites  or  released  under  FOIA,  generally 
depending  on  tJie  degree  ot  extenslveness  of  sensitive  data  Even 
though  these  reportsm^nothe  post^  on  entity  Web  sites,  they  are 
stiD  typically  issued  lo  entity  management.  Also,  state  laws  and 
legulations  may  atTect  Uie  foim  ot  leporUng.  For  fUrther 
information,  see  I'ufoTvmtiim  Systems  Setrurify  Auditmg:  L^ai 


whether  the  IS  coDtro]  weaknesses,  individuaUy  oi  m  the  i^gregate. 
constitine  a  nalenal  wealmess  tor  FWFTA  repoiting  or  a  lack  of 
Bnbelantial  cdnqihaiice  of  the  entaj'^  ^latems  witb  FFMIA.  See  FAM 
260,63-67  for  further  infOimation.  Also,  hirlheriiifOiination  about 
reporting  IS  contnd  weaknesses  in  relaligo  to  a  finaiidal  audit  are 
discussed  in  FAM  680  (Diaft  BeporlB). 

OMB  CirculBr  A- 123  provides  requirements  for  complying  with 
FME1A  The  Cncular  requires  management  to  assess  controls  and 
provide  an  anniial  assurance  statement  on  the  overall  adequacy  and 


represent  s^ntficant  weaknesses  In  the  de^gn  or  operation  of 
mtemal  control  that  could  adverselv  affect  the  organization  s  ability 
to  meet  its  internal  control  ohjeetives.  For  the  assessmmi  <tf 
iBlemuJ  conlml  tmerflnanaalrepoiitng.  CircularA-123  uses  the 
BBme  deOmticHia  for  material  weakness  and  significant  deficiency 
described  above  for  financial  audits,  except  that  OMB  uses  flie  temi 


repoHable  conditirai  rather  than  the  tetm  s^nificant  SeSaencv. 
Also.  FMFIA  and  0MB  Clicular  A-123  require  management  to  report 
nonconfonuaikceB  vjQi  system  requirements.  The  Gmmlar  defines 
nonconfomiances  as  Instances  in  n4iich  financial  management 
Egistems  do  not  substantially  confoim  to  Unandal  Egistems 
requirements.  Fmanaal  management  ^stems  mctude  txith  financial 
and  flnandaHy-telated  (or  mixed)  systems. 

Hie  auditor  snould  evaluate  the  material  iveaknesses  reported 
under  FMFIA.  to  detennlne  n4tether  they  meet  flte  definitions  of 
material  neakneGS  and  reportable  condition  for  reporting  as  part  of 
manE^ement  s  assertion  about  me  etftctiveness  of  internal  control. 


"signilicanUli^n.  i.^ii, .  n-;.  -I.-M ■  I-:  i  i-  -.■m,.  i.Tni 

scdmGA 

weakness  in  an  .U'  -^  -i.'m^   , 

pn^ramormarLiLuviui'iiL  iniLiLMi  ,.i   if  iu'  i.i  llhui' 

infoimatun 

agency  to  caiTv  out  its  iius^ii'ii  i  i    n-.  -  -ix-iiiiiv  of  its 

informatioiiT niformatiDn eivsi'^i  ^  i<  i-  m.  i  I'l  <<iil''i  ri^fiources. 
operations,  or  assets.  In  thiEh  I  < '  n  \   iii<  m-.k  i-  ..<' joiioii^  thai 
the  agency  head  and  outsioe  immnc-  iimim  iir  m.iLiiL'ii  iina 
immediate  or  near-immediatc  lojiccIivc  jciioii  iiiiisi  bo  taken- 

FFMIA  requires  agencira  to  napiemeat  and  mamtam  financial 
management  ^stems  that  con^  substantially  with  fedeial 
financial  management  ^sterns  requirements,  ivplioble  federal 
accounting  standards,  and  tfae  U.S.  Government  Standard  Goterai 


transaction  leveL  FFHU  i«quu«s  audiCots  lo  assess 

vsLem  reqinremenlE,  at  contnd  weaknesses  are  a 
I  tor  Inderal  agencies  and  me  general  pdMlc  and  are 
mently  cited  reas<His  rOT  nimcon^Jlance  with  FEMIA. 


 '  J  1 1 'I  II II V  ih;iii;jm'iiioiii.<inrrirrHfniH  rifuiuKi  u}SMrn 

.   f  or  GiLannal  audits  ana  attestation  aigagenKntSr  the  auditors 
iitiLtmiiiniiiKiii  oi  wnifLnLTiiitfrii.iiii^i  wisiKnchtuBi  n^DrestfriL 
matedal  weaknesses  or  ^gnMcanC  deficiencies,  and  the  basb  lor 


•  As  apptopnxle,  the  auditor's  considetations  and  detemiinaCions 
concerning  FMFIA.  FTMIA,  and  other  reporting  respontdbllilies. 


2.4  Documentation 

GAGAS  has  scncral  tiocmncnlatioii  icquircmcrils  foi  financial  iind 


PmoHcial  Aiuiils  -  Auditots  must  prepare  audit  docunieiitatjon  in 
cozuiection  with  each  engagement  in  sufilcient  delad  to  provide  a 
cieai  understanding  of  the  worii  peifbimed  [including  the  nature, 
timing,  estenli  and  results  of  audit  procedines  performed),  the  audit 
evidence  obtamed  and  its  source,  andttie  conclusnins  readied. 
Auditors  fitoald  prepare  audit  docunientation  that  enables  an 
eq)erienced  auditor,  having  no  previous  connection  to  tlie  audit,  to 
nnderstand  a.  the  nature,  tmung,  and  extent    auditing  procedures 
peifbrmed  to  con^ly  with  6A0AS  and  other  ^iphcable  standards 
and  reqiUrements;  b.  tlie  results  of  flie  audit  procedures  performed 
and  tiie  audit  evidence  obtained:  c^  the  conclusions  reached  on 
signdicant  mattcis;  and  d.  that  the  accounting  records  agree  or 
reconcile  with  the  audited  linancial  statements  or  other  audited 
mfonoabon. 

AttBstation  Emiagem^ls  -  Auditors  must  prepare  attest 
documentation  in  connection  vnth  each  eng^ement  in  suflicient 
detail  tiJ  provide  a  clear  undeistanduig  ot  the  work  peilomied 
(mcludmgthe  nalui'e.  tinunft.  extent,  and  results  ot  attest 
procedures  performed):  the  evidence  oljtained  and  its  source;  and 

docunientation  in  sufficient  detail  to  enable  an  experienced  auditor, 
having  no  previous  connection  to  the  attestation  engagement,  to 
understand  trom  the  documentation  the  nature,  timing,  extent,  and 
results  of  procedures  perfoimed  and  the  evidence  obtained  and  its 
source  and  the  conclusions  leached.  includuig  evidence  that 
supports  the  auditors  sigraficant  judgments  and  conclusions. 
Auditors  sboDld  prepare  documentation  that  contains  support  for 


Endings,  exclusions,  and  tecommendiitiaiis  before  they  issue  their 

Audltora  also  should  document  the  followli^  for  attestation 
engagements  performed  under  GAGAS:  a>  the  ol^|ectivEa,  scope,  and 
methodology  of  the  atteelaaon  engagement;  b.  the  work  performed 
to  support  significant  tudgmetits  and  conclu^ns,  Inchiding 

descriptions  of  tiansactioiis  and  records  examined;  c.  evidence  of 
aupemsori  ri  ni  s  I  In  (li    illi -.1  i.  jn  rt  i«  iwn^d  of  Ihe  Kork 


outside  a  computerized  inlomiadon  svstcm.  or  plans  for  direct 

and  (3)  the  effect  im  the  attestation  engagement  report  if  evidence 
to  be  gathered  does  not  afford  a  reasonable  basis  for  achieving  the 
otilectlvesoftheeng^ement. 

PerlbiiiumceA'iuhts  -  Auditors  must  prepare  audit  documentation 
related  to  planrang,  conducting,  and  reportn*  for  each  aiuht 
Auditors  diOflld  prepare  audit  documentation  m  sufficient  detail  to 
enable  an  ei^ilettced  audltoi',  having  no  previous  connection  to  die 
audit,  to  underaland  from  ttie  audit  documerrtalion  the  nature, 
tuning,  extent,  and  results  of  audit  procedures  perfbrmed.  the  audit 
evidence  obtained  and  lis  source  and  the  conclusions  reached, 
including  evidence  Hiat  supports  the  auditors  signihcant  ludgments 
and  conclusions.  Auditors  should  prepare  audit  documentation  that 
contains  support  for  findti^,  conclusions,  and  leconunendations 
before  Ihf^  issue  their  report.  Auditors  should  document  the 
following^  ■.  the  ohjeclivea.  scope,  and  methodology  of  the  audit;  b. 
me  woritperTormea  to  sigjpon  s^nificani  juogmems  anu 
cooclosionft  Including  descr^itionB  of  tranaacttons  and  records 


examine^  and  c.  e^^ence  of  si^nisoxy  review,  befoie  the  audit 
report  b  Issued,  of  the  wodc  peifOmied  that  supports  flndh^ 
ccfficlusioiis,  and  TecxiiniiiendBJions  cont^ed  m  the  audit  report. 

In  addition  to  meeting  these  general  requironents,  the  auditor 
^HHiId  mctude.  in  IS  controls  audit  documoilation,  the  specific 
bifoiniatlon  discussed  ttuonghouC  this  chapter,  and  sununarlzed  In 
Appendix  X. 


2.5  Other  Information  System  Controls  Audit  Considerations 

In  addiSon  lo  the  shove,  the  auditor  should  apply  the  following 
topics  and  techniquea  to  the  extent  they  are  relevant  to  the  entity, 
the  audit  Dlijeclivee,  and  tbe  audit  procedures. 

•  AdditkHial  IS  risk  &clors 

•  Automated  audit  tools 

•  Sampling  techniques 

FISItL\  independent  evaluations  in  Appendix  VII,  Vm,  and  Dt, 

icsueclively. 


As  part  oFtheRsk  asseasment,  the  auditor  should  also  evaluate  the 
foUowlng  adiUdonal  IS  ilsk  Cictois  to  the  extent  that  they  are 
relevant  to  flie  entity  and  the  audit  ottfectives.  The  auditor's  risk 
assessment  also  includea  other  risk  Actors  not  Msted  here  (e.g., 
Voice  over  Internet  Protocol  -  VoIF) 


2.5.1  A  Detense-hi-Depth  Strain 

Detense-irt-Depth  is  a  cimmonly  accepted  "beat  practice"  for 
in^lementing  ccoiqniter  security  controls  in  today's  networked 
envtronments.  In  sorae  i^endes,  the  auditor  may  en 
strategy  as  part  of  the  agency's  secuii^  managmmt  pr 


Where  an  eSective  Defense-ui-Depm  sUate^  has  oeea  uiQiiemented 
by  die  endly.  ine  iuidliors  assessmeni  oi  i»  lisK  would  generally  be 
lower.  Converseiv.  nhere  this  Hlxategf  is  dol  UEea.  me  auditors 
assesanent  of  J»  lisk  mnild  geneially  be  higher.  The  auditor's  IS 
control  testing  general^  provides  evidence  about  the  eflectlveness 
□f  B  Defense-m-D^thsOHtegy.  See  Oiapter  a  r  AOl  and  (IM-S)  tor 
additional  information  on  Deiense-in-Itetitti  strategy. 


Hk people  coiTii  11)11  Pill  of  []pifiisi-  in  hcpih  HfgiiLs^viih.ismitir- 
offieer  level)  that  is  based  on  a  clear  understandmg  ot  tne  nerceived 
threat.  This  con^iottOTi  must  oe  imruememed  wnn  enective 
iiiiiinniiiKiii  si.viini,v  ikiik  iim  iiiiii  mucenuriH,  iiiuiiimnijiii  oi  n.iiin: 
and  lespoiisibihties.  coimmlanent  oi  resoun:eB,  tiaming  anu 
awareness  programs  nor  Qotn  users  and  system  admklstiaioisi. 
and  personnel  accounianihty.  which  includes  the  establtshnieni  oi 
Physical  anu  personnel  secunw  measures  lo  control  and  mrmuor 
access  to  laciutles  and  cntiral  elements  of  the  infoimatlon 
lechnoiogy  amronnieni. 

TTie  tjieralitais  compcaient  locoses  on  all  activities  reqiUred  to 
siBtam  an  entitys  secuntv  posture  on  a  dav-to-dav  basis.  These 
actlvilles  include 

•  mahilaining  up-io-daie  system  securav  poncie?, 

«  i>siJiiMisnini/  4^1'niiiciiLiOii  uiiii  ]ii'('n>4iiirini>h  tMfiL'iJtiiis. 

•  niAiianiiin  LiiiniJiiHii.ion  svsLiriitsix:Mriiv  iiiki  I'XJknirMi'.  iii'^NiLiiitiL 
[Hii4i[ii^  FLiiM  viniH  iiiHiau?!.  iiiJurnFUiiiitu  a('<:4's.>^  roiiii'M  iisi.>^>. 

•  pecfomdng  system  secmiCy  assessments  cor  example. 
vubieiBbiii^  assessments). 


•  audmng  and  monitoring  syslem  activity  and  resyonding  10 
flneals,  and 

•  dnplemenling  rpcovprj  and  reconsiLiiiUoii  procedures  in  the 


The  leclinoloey  component  inciudes  defense  in  multiple  places  and 
layered  defense  mechanisms  that  provide  intni^on  prevention, 
detection,  and  response  to  seciuiR'  incidents.  Since  attackers  may 
target  mulC^tle  points  iik  an  infomiatlon  Bystem,  an  entity  needs  to 
deplov  protection  medianisnis  at  multiple  locations  including  the 
protection  of  local  and  wide  area  communication  networks  (tor 
example,  from  denial  of  service  attacks),  protection  for  data 
transmitted  over  the  netwoilts  (for  example,  use  of  encryption  and 
tratflc  now  security  measures),  delenae  of  enclave  tioundartes  (for 
example,  deploy  firewalls  and  intrusion  detectioji  systems),  and 
defense  of  the  computing  environment  (for  example,  access  control 
onh  s  s  r  dservprs).  Evenlhebestsecuri^ptoduclshave  biheienl 
wealinesses.  so  it  is  only  a  matter  of  time  before  an  attacker  finds  an 
e  I    III  ilii('rahiliiy.Theieroie,ltislmpaitanttottepkQ'layered 
deiense  uiechMiiisiiis  Mii'h  as  nested  firewalls  coupled  ■with  Intcu^n 
detection  ai  oulei'  aitd  inner  network  houndaries,  between  the 
Id  en-  n  n  1  the  target. 

2J.1.B  Web  J^licatkais 

Web  appUcatlons,  which  use  a  web  browser  as  part  of  the 
^iphcation,  present  significant  additional  IS  lislts  because,  if  not 
propeily  controlled,  they  can  expose  the  application  and  the  entity's 
systems  to  unauthorized  access.  In  some  instances,  the  risk  related 
lo  me  ^pacation  itself       be  low  because  it  is  not  critical  or  it 
does  not  contain  sensitive  Inloimatlon,  However,  If  not  properly 
contiolled,  IC  could  be  used  to  obtain  unauthoilzed  access  to  oUter 
entity  ^stem  resources.  Therefore,  due  to  tfae  heightened  even 
if  a  web  applkaClon  Itself  Is  not  part  of  Sie  scope  of  ttie  audit,  the 
auditor  should  assess  the  effectiveness  of  web  iviillcatlon  security 
and,  as  qipropriate,  general  controls  to  detennine  whether  tfae 
Infoimatkin  system  controls  over  the  application  could  allow 
unauthorized  access  (hroi^  tbe  i^illcatlan  to  other  ^istem 


tant  for 

control  objectivi--i  lii-f  iii'liicvcd  iti  F^Fir>';\-.iciii-.  lln-.  ■■  ,  i 

abouldauppleiHeiittlie  FISCAM  with  ™di( ;  iillsi,u-i,l<lii[is  ajiil 
techniques  that  are  siiealic  lu  the  iiarticului- hkl'  ■ii'sicincjj  li-mg 
audited  Althou^  ERP  systema  share  some  similar  tunctionaliCv-  the 
way  they  are  mqilemeiaedandthe  audit  techiuqiies  (e,g,,  ^eciGc 
^st«m  c(>eilcs,  antily^  of  sigieruser  capabSitles)  applied  will  vaiy 
with  the  particular  vendor. 

Factors  affectmg  Uie  oveinl]  i  i-k  ji'l  n  ■!  !!■  f^!;!'  ^'^Ii'iiis  iiirliidp  the 


related  tcit 
geiwrallv  ii 


resources  that  could  lead  to  denial  of  service,  Etother,  general 
roiimtis  ovi'r  mi'  i^ki'svsii'iii  juin  HiJMiHm.iiik;  MJujiM;iN<iKjihci 
operating  svsrenis  are  importam  co  auequately  protect  access  e< 
ini:  imncrivniu  iiiiui  ;inii  iirdi^'wiiiiK. 
I  Because  ERP  svsiems  are  on-ime-real-tune  systems,  data 
vabdation  conttois  are  cnucai  lo  reasonabiv  assare  thai  only 
vaUd  data  is  utocessed  Dv  iJie  ESP  svst^ms.  Controls  In  EBP 
^fSiema  lerui  to  tie  preventive  rattier  uian  aetecDve,  as 
subsequent  detection  and  correction  of  errors  may  be  costly  or 


bc3liliefiBndfuikClJoiisin9viiciLbepresaiL  GcHisapieiitlF.  t 
naks  related  Ki  configmatlon  mimagm^i;  and  monitoring  are 
Increased,  and  the  enUQr  snonld  secure  and  monitor  sucn 
modules. 

ERF  systems  cmtam  ceriam  controls  that  are  not  changeable  dv  the 
entiw.  II  IB  inqiortani  to  underaland  inese  conliob  and  how  Hiey 
help  to  achieve  the  IS  control  obiecbves. 

In  BOdition,  doe  to  tne  mcreasea  nsRs  discussed  anove,  mere  are  a 
miniber  of  oflter  craitiols  fliat  are  of  Increased  s^nlScance  in  ESF 
systems,  includii^  controls  relating  to; 


•  powerful  user  FDies4>rofiles,  mchidiiig  debults 
I  deboli  user  IDs  and  derauUpasswonb 

•  ae&nlt  system  cdnfignrationa 

•  access  m  diCical  tablesi^ifitabases 

•  mviIMUIIIIKIIKW 

•  the  effectiveness  ot  the  settings  oi  configurable  controls 

•  sensiUre  reportafouCpuis 


2.6.1  D  Inteilace  Conttols 


InCeiface  conCrois  are  particulaily  Important  when  applications  rely 
onmpuLfroml^BcyayHtenia.  sucn  le^cy  aystenks  are  sometimes 
s  leeder  Egstetns.  in  certain  instances,  such  legacy 
may  not  have  oeen  aesignpd  to  rully  achieve  the 
niMi?i:iivi^  111  iii(^»uiniit^]ji.ion  iiU'V  suiiirort.  Consequently,  the  auditor 
evaluates  flie  adeijpacv  oi  mtemte  controls  and  of  apiilitalion 

lioii5  10  provide  reasonable 


"^■ved.  One  area  ot  nsk  exists 
multiple  installations  of  the 
than  one  host  ^stem. 


avsccm  !Uid/or  aophcation 

geogr^>]iicallv  aisinoiiieci 
requitemeius.  nmn  ;n-;iii:iii 
thesefectois.  »^   


iini>ii'iMi^iiiju.i<ins<M  nifiwoii^  euisi'm  ^uiri'ss  roriLnii  svsufiils  isurii  lis 
u^APs,  mciudiiig  uie  Mcrosdfe  Active  Duectorr''')  mtioduce  the 
pocenQiil  tor  q)edfic  vulnerabilities.  Netiroik^^tased  access  contioi 

Hie  appRgmate  conSguration  ot  the  operatuig  Qiatems  and  an 
bccois  that  can  effect  cne  functioning  of  cne  opeiatii^  systems  lor 
uiese  hosts  needs  eo  be  carefully  cfflitroued.  A  flaw  in  operating 


ielii*ility  of  eie  control  functions  provided  bv  the  networkjiased 


^ucahon  arclwediires  that  empkiv  network-based  ac 
ssrstems  Invoh^  a  shared  or  common  relkuice  on  mem 
coatrola.  Therefore. acompronuse Dfanetwork-based 
control  si«tem  has  tne  potential  ofeoniributirj!  to  the  c 
of  other  ^istems. 


2.5.2  Automated  Audit  To( 


auditor  should  undeistand 
•  when  they  could  be  used, 


In  addition,  the  auditor  should  he  adequately  tiained  m  the 
usa'bpetation  of  these  tools  and  in  the  tnleipretatlon  of  the  results. 
Because  sisne  tools  generates  significant  volume  of  information, 
the  auditor  should  under^^and  how  to  analyze  su<^  mformalion. 


•  Delemune  a  methodology  to  evaluate  ana  select  software- 

•  Develop  a  pioceduie  to  tialn  personnel  in  Its  use. 

•  Develop  a  review  process  to  detemiine  wbetherttie  software  tool 
has  produced  results  commensuiate  with  its  cost. 

Itieie  are  many  dlfteient  ^es  of  automated  audit  tools; 

•  Gonunercial  software  such  as  Microsoft  EsceF".  etc..  be 
used  DV  the  auditor  for  arudyzli^  data  ln:5)orted  from  client  flies, 
wiltlns  audit  ptt^rams,  etc. 

•  Generahied  audit  software  may  ije  used  by  the  audiior  to  queiy 
and  extract  information  Irom  the  entity's  information  system.  For 
exBnq>ie.  data  exuraction  j:oois  and  reporting  lacnmes  ror  access 
conmu  software  can  idenruv  users  wiui  excess  orivue^es  mat 


I    An  {>11IIH''I4]INI 


the  client's  softntire  Otal  is  underaepatale  contmi  of  the  andiCot 
!iiid  has  imdeiEOne  program  code  analyse  to  ensnre  that  the 
processini!  is  Ldenticai  to  inai  of  the  chenis  operauonal  software. 


^cific  tasks  in  qieciGc 


I'ni.s  iioimm 


jcKcrs  can  idcntiiv  the  use  of  vendor-defeuK  or 

iifferG  isoftwaremai  can  iniercepi  and  log  traffic 
a  network)  can  idenUfu  thi  - 
r  sensitive  inrormation  m  clear  le' 


>i  iware)  can  help  IdentlQ' 
iiect  unauthorized  wireiess 


CAATs  can  also  be  used  m  testuigme  eSectivenes;  ot  comrajs.  as  a 
companion  ro  ouier  controls  testbig.  This  woiua  ivoicaiiv  mvoive 
makiri}^  a  samu  s^ieciion  oi  trsnsactians  and  walking  them  through 
thrs\sinii,  OI  (icvcEaDiiiaan  integiatcn  ttsi  faciuly  and  piocesEmg 
\:.'^\  I'. I  '..Id  II  .11-  iiii.iiiji'  iJH'sviipni. The  advantage  ofusiiig  CAATs 


^uucHuon  isiich  as  logs)  mav  w  lesieu  bv  mt^ecimg  such 
evidence.  If  suflldent  evidence  cannoi  be  obtahied  through 
waDdhroughs  m  combinatKHi  wicn  obBervation.  mgmrv.  and  oiner 
non-sanqihng  i«sts,  the  auditor  generally  snouid  otitaln  more 
evidence  br  usbigsanftllng  ptoceaures  to  select  Individual  itenis  1 
in^>ectiorL  The  auditor  mav  use  ^lUlt^Hl^p□ae  LestDtg  lo  use  the 
same  san^e  to  test  controls,  con^illance,  and/or  substantive  itsui 


(sDch  as  balances  in  linandaislaCeiiients).  Mnltlpiupose  testine  is 
usually  more  eltldeni  than  separately  designed  smip]BS, 
Altemalively,  (he  auditor  may  design  a  sample  to  test  craitiolH  alone. 
In  this  case,  the  auditor  genci'ally  ^oold  nse  landom  attiibute 
sanq>lli«  FAM  section  460  (SmpSng  Control  Tests)  piovldes 
additiciial  information  on  the  use  of  this  san^ilii^  technique, 
includlne  those  that  can  be  applied  to  perfmmance  aodlts. 


Chapter  3.  Evaluating  and  Testing  General 
Controls 


3.0  Introduction 


isequenuv.  the  auditor 
lectiveiiegs  of  general 


III  MiaiiiiiriJ!  iru'  L'^rLiirLiLrnL  i>i  ir^  riiiiii'ikis.  iili'  ;Lihiii.(ji'  Kii'iii.iiii'^  hIii'ii;^ 
of  audit  uiteregt  and  crincai  coiiitoi  ooinis.  In  identilyuig  mese 
areas«  tne  auditor  considefs  business  process  ^plications  that  are 
relevant  (o  Itie  audit  oCnecQves,  Also,  tne  auditor  ctwsidere  the 
netwoik  con^nments  lha*  are  most  slgniBcanl  to  the  effecUveness 
of  IS  controls  over  the  areas  of  audit  mteresL  In  planning  the 


evaluaoon  oi  general  controls,  the  audiCot  considera  the  most 
effective  and  eftldeni  manner  CO  gather  evidence  to  delennlne  uie 
enectiveness  oi  general  controls  over  inese  cnticai  control  pouilB. 
for  eoniDle,  If  a  business  process  appttcaUon  tor  benefit  pamnents 

a  Key  area  oi  audit  Interest,  the  auditors  testing  or  geneial 
controls  19  aeBigned,m  me  extern  possiDie.  loiocDS  on  mose 
general  controls  that  most  directly  aflect  the  anpllcatlon. 

The  craliralion  of  scncml  controls  includes  the  following  five 


I  configuration  n 
cnuntiL^s  u  


spects  of  compulet-telated  operaOoi 
jniinkii^iirv  ouiiiruiu:.  siM.iiiii,  wriiii  ui 
ritlcal  operationa  contimie  without  d 


infoimation  to  evaluate  enlily  procticcB,  For  each  criacaL  clc, 
uie  auniun  atuiuui  iiiaKC  a  suiiiiiiaiv  orirriiiuiaiioii  nsviuf 
enecbveness  or  the  entity  B  related  controls  ar  me  entJlywiuf 


ES^tetn,  and  application  levels.  If  a  critical  element  is  not  achieved, 
the  re^^cttve  eontiol  cat^oty  Is  not  likely  to  be  achieved.  The 
auditor  should  use  profesaional  judgment  in  making  such 
delemilnations. 

To  eeahiale  the  effectiveness  of  geneiBl  craitmls,  the  auditor 
Identifles  control  Techniques  impjememeil  bv  the  entsty  to  achieve 


The  control  lod   i.  hir  I.,   hi  !,■ -is  ..■■Jn,- lo 

ar  d 

aboHi  tne  auoieci  i  n  oe  eiiecuvely  performed  at  an  entity,  ^lore 
Detailed  audit  steps  generalLv  snoiild  be  developed  by  the  auditor 
baaed  on  tne  sp^cinc  software  and  control  techiuiiues  emploved  bv 
me  entiiv.  Tame  i.  snows  the  lelationshfti  between  the  general 


should  include  conaideraUonof  all  polemial  ways  iii  wliicli  tlie 
mtical  control  point  could  be  accessed.  Generally,  for  each  critical 
control  point,  this  woold  include  assessing  controls  rtMeS  to  the 
netwodc,  op^aOng  systero,  and  infrastructure  aKtlicatkio 
ciinponents.  For  example,  if  aparticnlar  router  was  deemed  to  be  a 
critical  control  point,  the  auditor  would  teat  controls  related  to  the 
router  Uselt  (a  networit  corr^xjnent),  ss  well  as  its  opeiadng  system, 
and  the  mtmstructure  ^licalims  used  to  manage  the  router. 
Access  to  any  of  these  could  lead  to  access  to  the  control  point. 

To  bcilitate  the  auditor's  evEduation,  tables  idenin^ii^  commonl; 
used  control  techniques  and  related  audit  procedures  are  included 
afier  the  discussion  of  each  criticaJ  element  and  also  in  ^ipendiKlL 


These  tables  can  be  used  tot  both  the  preriminaij  evaluahor  and  llie 
mote  detailed  evaJuatloti  aixd  testing  of  controls.  For  the  piellmlnaty 
evatuaCioii,  ttie  auditor  can  use  the  tablES  to  guide  and  document 
initial  imjuiries  and  otiseivations;  for  the  moi^  detailed  evaloaCion 
and  tesCbig.  the  auditor  can  use  Uie  su^ested  ptoceduies  in 
developing  and  carrying  out  a  testing  plan.  Sudi  a  plan  would 
ini^ude  moi«  extensive  inquiiies;  hspections  of  faolllies,  svstems, 
and  written  procedmes;  aixd  tests  of  key  control  techniques,  whldi 
may  include  u^ng  audit  or  system  software  and  vuineraDimy 
analysis  tools.  To  help  document  these  evaluations  and  allow  steps 
to  he  tailored  to  individual  audits,  electronic  vec^ons  oT  the  tables 
are  scailahle  on  our  EISCAU  website  at 
http://www.gao.gov*pedaLpub8/fiBcam.lilnd. 

When  evahtating  general  controls,  auditois  may  want  to  supplement 
the  control  techntques  and  audit  procedures  contained  in  tlils 
document  with  other  guidance,  including 

•  National  Institute  of  Standards  and  Technology  (NIST) 
Information  securi^  standards  and  guidelines; 

•  i^pUcahle  0MB  policy  and  guidance; 

•  aitemational  security  standards  published  by  the  International 
Organization  for  Standardization  and  the  IntematiDnal 
Electrotechnical  Commissior^ 

•  InTotmation  Systems  Audit  and  CJontrol  Association  CISAC;AJ 
auditing  standards,  guidelines,  and  procedures;  and 


3.1.  Security  Management  (SM) 

An  entitywlde  information  security  management  program  is  the 
foundation  of  asecuritj'  control  structure  and  a  inflection  of  senior 
nian^ement'9  commitment  to  addressing  aeeurity  risks.  The 
BBCuntv  management  program  should  establi^  a  fr^meworit  and 
continuous  cycle  of  activity  for  assessing  risk,  developing  and 
tnqjIemenUng  eftecHve  security  procedutea,  and  monitoilng  the 
effectiveness  of  these  proceduTES.  Overall  pohdes  and  plans  are 
developed  at  the  enlltywide  level  System  and  appllcatlai>8peciHc 


Iirocedures  and  conlrols  implement  the  endlywide  policy.  Without  a 
ivell-deslgned  program,  seeurtly  controls  may  be  imdequate; 
responsibilities  may  be  unclear,  misundeistood.  orunpropeiiy 
implemented:  and  controls  may  be  mconsislently  applied,  Sucli 
condtUons  may  lead  to  tnsuOIclent  protection  of  sensitive  or  cHtical 
resources  snd  disproportionately  bi^  expenditures  for  controls 
over  low-nsk  resources.  Tlirnufh  FISMA,  Congress  reijuires  each 
KderaJ  i^ency  to  establish  an  ^encywide  Infoimation  securiO^ 
prt^ram  to  provide  security  to  tbe  information  and  infonnation 
ssets  of  the  agency, 


Security  Program  Guidance 

General  guidance  on  planning  and  managing  an 
program  is  contained  in  CI)  NIST  SP  800-12,"  which  provides 
guidance  on  security-related  management,  operational  and 

management  principles  found  at  leading  oiganizations  (discussed  in 
the  next  section]."'  NICT  has  published  a  series  of  information 
security  statubrds  and  guideUnes  tor  agencies  to  effectively  rnanage 
to  enhtv  operations  and  entity  assets.  Key  pi^lications  are; 

•  FIP3  PubhcaUon  200,  Mittimum  Secarily  SegaiTBmeiilsfor 
FBdewi  Irtfonnation  and  InjonrntUm  Systems 

•  FTPS  Publication  IWiSlaMardsf&rSeairiis/Calesorimlionrtr 
Fsigmi  I^fortnatiaii  ami  IvformaHon  ^Igms 

•  yiS!lSPSOOSS,HecomnetutedSeeiirllyCmlmlsfwFede^ 
IttfwmalUmSiislems^. 


FIPS  Fublcalion  ZOO  provides 


1.  a  specification  fo 


fori 


In  ipphinhth  [ r ".T-ic ns i>f  FIPS .ntj  i^m  Ksfirstukg  nz^  Ihcir 
svstems  as  required  by  FIPH  IHfl  (seeTsLiJe  SI.  am]  rhen  l.vpioallv 
select  an  appropriate  set  of  security  controls  from  NKT  SP  8(lfr53  to 
satis^  their  mimmuni  secunQ'  requirements.  MIST  reviews  and 
qpdales  the  controls  in  MSr  SP  80l>63  annually  to  ensure  that  the 


controls  represent  (he  cu 


FIPS  200  and  its  sqiportbig  puUication  NIST  SP  801^  estabUsdi 
conditions  to  enable  organizations  to  be  flerible  in  tailoring  their 
security  control  baselines.  Agokciea.  may,  for  example,  BPP^ 


to  cousideiation  the  issues  relal 


services,  to  assist  manageis  in  undeislanding  how  to  cstabhsh  and 
In^ileinenlan  IntOmiatloii  secuiliv  piogranL  Hits  bandbook 
BDmmanzes  anu  augmeniG  a  nnmoer  of  exisEn^  jiifTi  arannaros  and 
guidance  documents  and  provides  additional  infoimalkai  on  related 


other  guidance  suppurting  iraplemenialion  of  FIPS  IBB  and  FIPS 

.  N18TSPmi-l&,Guide:forDemlopingSemrilyPUiiisfmFedei-al 

InfimnatiimSi/sUms 
.  WSrseSOiy^,  Risk  Ma3u^ement  Guide  Jbrlriformaiion 

Tschnoloffy  S^l^as 
.  NET  SP  800^7,  Giiiite^lfeSiwtritjfCfertpcoiioiiond 

Accredilaiioa  qfFederai  Itifarmal^oa  Systems 
•  NIST  SP  800-80,  Gtiide  far  Mapping  T^/pes  lif  lufoniiatiim  caul 

h(f<mrtaiion  Suslems  to  Sfecitril^  Categories 


These  and  other  publications,  directives,  and  policies  that  support 
are  available  from  NlSTs  website  flittp  J/tsrcnisLgov). 


Security  ManagPmenL  (.nlioaJ  Elements 

evaluatuig  the  entitvs  efforts  to  perform  each  of  the  critical 


The  following  sections  discuss  each  of  these  cntical  elements  and 
the  eontiol  atliviaes  that  support  their  addevement.  At  tne  end  of 
each  crtflcal  element,  a  summaiy  table  19  presented  that  associates 
each  control  achvity  with  teclmiques  that  agencies  can  use  to 
perform  the  aetlviiv.  as  well  as  procedures  for  autUUng  tne  eritlcaJ 
elements  and  control  activities. 


Critical  Element  SM-1;  Establish  a  Soruril.y  Managomcnl;  Program 


Entities  sliouJd  have  policies,  plans,  and  procedures  that  clearly 
describe  the  entity's  security  management  progtatn.  FISMA  reqidiES 
federal  ^endes  to  develop,  document,  and  implement  an 
agencymde  mfcranabon  setnm^  prognm  to  pmeide  aecnrily  for  tbe 
lnf<HTaatlon  and  Infoimatlon  systems  that  si^port  the  operations 
and  assets  of  the  agency,  includir^  those  provided  or  manned  Iff 
anotiier  agency,  contractor,  or  other  source.  The  security 
management  progtam  should  covet  all  m^t  systems  and  tMliUes 
and  outline  the  duties  of  cnose  who  are  re^nsibie  for  overaeemg 
security  and  those  who  own.  use.  or  relv  on  the  enljtv  s  computer 


The  entity  s  security  management  program  should  be  adequately 
docimiented.  The  nature  and  extent  of  the  documentation  of  the 
Pribram  may  vary.  For  federal  entitiea,  at  a  minimum,  the  program 
diould  adequately  reflect  the  agency's  coniadeiation  of  the 
foHowing  e^it  eiements  of  an  agencywide  Jnfoimatian  secartly 
prc^ram  required  by  FlUMA. 


and  compliance  with  apphcable  standards  and  jnudance  and 
with  agency-determined  system  con^uialion  requirements; 


i.  seciuity  awaicness  training  fOr  agency  employees  and 


D.  periodic  man^ement  teatmg  and  evalnaUon  that  includes  tesOi^ 


of  operations  plans  and  procedun 


While  most  or  Uiese  elements  are  covered  in  ttds  section,  security 
incident  procedures  are  covered  m  section  3^  on  acceas  controls. 
and  ccmtmuity  of  operations  is  covered  in  section  3,5  on 
contli^encv  planning. 

Hie  security  mant^etnent  progiion  raav  be  documented  m  the  foim 
of  a  separate  written  secuniv  management  program  plan  or  mav 
coDsistof  several  documents  that  collective^'  constitute  the  secuntv 
management  piogtam.  The  documentation  snould  be  supported  bv 
Bnbordmate  (system  and  ^pfacation  level)  plans  and  procedures; 
related  policies  should  cover  ^I^^)or  systems  and  fedhliefi  and 
outline  the  dutks  of  those  itsponslble  fOr  oveiseelngsecurtQ'  (the 
securitv  management  function),  as  well  as  those  who  own,  use,  or 


ejrample,  new 
pohcies  and  proceoiu 
level)  plans.  Similarly 


The  securiiv  man^emeni  oro 
^jpropnate  level  or  managem 
include  tiie  dorm  I  leiiiaiion  in 
man^ement  in  adiUtion,  lOT : 


the  Director  of  0MB  review  Inderal  agency  secmfly  mans^ement 
pn%ranis  at  least  iuinmdly  and  ^rove  or  disapprove  them. 

Finallv.  tohp  plTpriive,  rhp  sppuntviirogramdocumentadon  should 
be  iiiainlniiietl  (o  reflecl  ciiTi'eiil  condfbons.  It  ^ould  be  penodically 
reviewed  iiiid,  if  iippiopniilc.  updiilcd  and  reiBBued  to  reflect 
diaiigfi  HI  nsli  due  iiiftii'iiiri  nncli^LSdianges  In  entlfr  mission  or 
the  Cvpes  and  coiiligiiraljon  ol  computer  resouFces  muse,  Revi9(Hia 
to  policies  and  plans  should  be  reviewed,  ^qiroved,  and 
conuDunlcated  to  all  employees.  Outdated  policies  and  plans  not 
only  reflect  a  lack  of  adei^te  top  manBgeDieDtconceniT  but  also 
maybe  Ineffective  because  thev  may  not  address  current  risks. 


SM-1.2.  A  secntlCy  management  structure  has  been  eatabUshtil 

Senlormanagement shouw  esi.ili.i'.li  ;i  '.■i    inu'  ii.  .lurli'in.  m  I'n' 

personnel  who  play  a  role  m  evaluating  the  appropriateness  and 
effectiveness  of  computer-relaled  controls  on  a  day-to-day  basis. 
These  peraonnel  include  program  managets  who  rely  on  the  entity's 
computer  systems,  system  adimidstrators,  and  system  users. 

As  an  illusliation  of  the  different  respoiisibililies  of  a  security 
management  structure,  FISMA  establishes  re^ionsibilities  for 
cert^  i^ency  officials  as  follows: 

•  Uie  agency  head  is  lespon^le  ft*  {1)  proviiUi^  idsk-based 
information  security,  (2)  congilyii^  wiUi  FISMA.  reigmemenls 
and  related  HIST  standards,  ^  ensuring  intogratiffli  of 
inroimatlon  security  rmma^ntent  wiUiag^Ky  strategic  and 
c(«iatlonalplannli%  (4|J  ensuring  adeqfocy  of  trained 
information  security  personnel,  and  (S)  aisurii^  receipt  of 
annuBl  reporting  from  the  CIO, 

•  IheCIOistohaveaadioilty&omtheagencyheadtoensuie 
corrgiliance  with  F19HA,  including  responsibiUty  fbr 


(1)  designating  a  senior  agency  intoimalion  secuiity  ofRci^ 

(2)  developing  and  maintaining  the  agency  infonnation  seciirily 
program  and  related  policies  and  procedures,  (^'}  training  and 
overseeing  information  security  petaonnel,  and  (4)  aaaisUr^ 
senior  agency  officials  nitli  tlieir  infoimalion  seciu% 
responsibilities; 

•  8enJor  agency  offldats  are  responsible  for  infonnation  seottlR' 
fbr  operations  and  assets  under  their  control,  Including 

(1^  assessing  nsh,  (2)  detemuning  levels  of  appropriate  security, 
(3J  tmplementSr^  pnlteies  and  procedures  to  cost-effecHvely 
reduce  rislts  to  an  acceptable  level,  and  (4)  periodically  testing 
and  evaluating  securi^  controls. 

Our  survey  of  leading  organizations"  found  that  a  central 
manE^ement  focal  point  is  key  to  ensuring  that  the  various  activities 
associated  with  rnanaging  risk  are  carried  out  Such  responsibility  is 
assigned  to  a  cential  security  program  office.  A  central  secuiity 
program  office  may  be  supplemented  by  hidividual  security  program 
manners,  des^nated  in  units  within  the  entity  who  assist  In  the 
irt^lementafion  and  management  of  the  organization's  security 
ptogiam.  These  individiral  tuiil  security  manageis  should  report  to 

EesponsibiUties  of  the  central  security  program  office  may  include 

•  coordinatmg  development  and  distribution  of  securi©  policies 
and  procedures, 

•  routinely  monitoring  compliance  with  these  policies, 

•  piomotli^  security  awareness  among  system  users, 

•  planning  and  coordinating  security-related  activities,  including 
coordination  of  geographically  dispersed  security  groups, 

•  ensuring  that  desktop  security  plans  are  integrated  with 
Infrastructure  and  database  security  plarks. 


ptovldiiig  :q>atts  to  senior  management  on  poucv  and  control 
evaluation  lesuils  ana  advice  to  semormanageinent  on  second 

[KMIC^V  ISSMI?;.  IlltCI 


!UIM  l^lfVrU'f  I'OIKieilLS  14'lL'U'Cllllk!  |;1h1II1>I4I[>IIJU,I!  ruiii  IIVULILieinrill 

MifnsinriHdT  nnii^i,iir(iK: 

have  sufndeni  resources  lo  cany  out  their  le^Kmslblllttes, 
including  stan  ana  tools  i  tor  esBoiple,  ciinpuierB.  estabbdied 

ELiinit  imis,  aiin  siiecializedseciiiiO' software  K 

i[LMiTi'[LMv]u'c^i]iiL  iiij.ieraviiTafthe  361™!%  function; 

iioi  rx'  ^i^ymiKML  FL'sijoiisiodities  (hatdmuniahlheirobjectiviiv 

have  suuicient  trdinini:  ana  knowledge  oi  control  concepis, 
rc]iri[Miuii  riJiKiwjin'.  soiiwai''.  i^'LiKioiniMiiiiKiiii.icirisiHinc^iFrwj. 

management  anu  data  access  meuiods,  perUneni  )^^ti(Hi,  ana 
fidministrauon  and  oigaiuzational  issues. 


Iionsibihtiee  are  deanv  assigned 
SecurltT-ralated  responsibiuiies  ot  offices  ana  individuals 
throu^ioui  the  entity  thai  snoum  ne  cipanv  neimea  inciiiae  tnose  or 

resources  managemera  and  iinui  iiiiHcssmn  iK'isonnc],  [^j)  senior 
management  and  i4)secunivM(imiiiiMi-.inii-s.  purEjier 
n'.siKirisiiM  111,11 iiir  iiimiviiimiii  I'lnitiiiv*'!'  iircoMiiiiiitiiiiv  k'i^fii'ciiiii!  iiki 
use  and  disclosure  of  Infoimaoon  resources  snouia  be  established, 
,^endlx  in  ot  0MB  i^hcular       requires  that  the  ruks  01  the 
KVNiifrri  ;mM  iiiMMi<i]ii,icin  "siiiiii  iiiiFPiriv  (ii'iiiiiFfuxi  nrsiHinHirMiiudsaiiM 


eiipeceed  behfmor  of  au  individufils  Willi  access  ...fuid  shall  be 
clear  about  the  consequences  of  behavior  not  conslsteni  with  Che 
rules.- 

Seoior  monagemeni  and  mrormauon  resource  management  have 
ultunate  responsibili^  for  providmg  direction  and  ensuring  that 
Infomiatlon  security  responsibiimes  are  cieativ  assigned  and  carried 

thevariouscomiJutcriTsnui.r-i.  iiaiiuuliicK  il.ir.i  ni,-.  and  M-lial  Ihe 


no  reaponsiDiiities  of  users,  and  f^)  detemime  the 
leeds  of  these  useis.  Once  these  factois  are  deteir 
esource  owner  can  identity  peisons  authonzea  lo 
'■V  unu  nil'  cvuiiii.fM  .sill 


10  ensure  that  all  useis  can  access  the  resources  Ihey  need.  This 
defeats  the  pmpose  of  access  contcob  and,  depending  on  flie 


sensiQviw  of  Ihe  resources  involved,  can  unnecessanly  provide 
oppoitunltles  for  ftaud.  sabotage,  and  Inapptopiiate  dlsclosutes. 

8M-14.  SubonUnate  securl^plans  me  documented,  proved,  and  kept  iip-io  mie 

Entitles  snould  have  written  security   n' ".Mini  him 

^^ilicatuHtlevelathatcovernetworks. lat iiri  ^  mm:-.-  -.n 

groupsof  systems,  as  appropriate.  The        ;  n..  ■   


aid  pdie         p  pn  e  T  P  0 

18anaAppendixra(ifUMIii;Li-ni[rii-A-j:iUi)ruvnii'.'jwiifi(.' 
guidance  on  what  snould  oc  icu  iLLdwi  ir>  ipdciiu  rnuw  svsLfm 

FISMA  slates  that  'eadi  agency  shall  develi^.  document,  and 
m^lemenL .  .snhordmate  plans  for  providing  adequate  information 
security  tor  netirorics,  bdlitles,  and  systems  01  grotQts  of 
mformalitm  systems,  as  appropriate.  System-level  plans  ^lonld 
identi^  the  si«tan4evel  architectiire  (for  exanqile.  network 
conriguiatlon,  coati>3l  points,  etc),  op^ational  policies  and 
procedures,  and  any  qiphcation-level  plmis.  ^pbcaJlon  plans 
dtoukl  cmtam  smular  elanails  such  as  procedures  and  contrds 
^>eciBc  to  the  ^jpHcation. 

svsiem  sec utitv  plans  should  be  clearlv  documented  ana.  accoiding 
to  Appendix  Ul  ol"  OMB  Circular  A-13U.  cover  each  ReneraJ  support 
Bvstcra  ™d  each  major  application.  The  circular  further  soeclfles 
uie  ionics  to  include  in  ij\e  plans.  Topic  names  wdl  outer  dependn* 

^phcation,  hul  the  suljject  matler  will  be  sunilar.  The  required 
topics  are  shown  in  table  4 


To  help  ensure  oM  the  Q«tem  secunirplan  is  complete  and 
sopported  by  the  entity  as  a  whole,  senior  mam^emenC  snould 
obtain  agreemeni  from  all  anecied  parties  to  esLalili^  policiES  for  a 
scciiiii.v  i>ii>i<i.iiii.  niii'ii  .inii'oiiirriiiA  will  niHO  iii'iii  (riisiirr'  uiai 

All.niM  Ihl'  Fim'IK'V  lin'  I'OILSISM'MI  ^IIM  OVCTFM1 1  rl'lUiniVJIII'MIJII  [KlIK'll'S 

;uiri  [III imii Ill's  iii  .ii-rniirmi'i' wiiii  Anni'iidix  mum  oraii  i 'iii  iiini' 


IV  be  mefFecbve  because  thi 


SM-l,El,  An  invenuuy  of  ^rstems  Is  deveir$«d.  documented,  and  kept  up-hMlate 

To  In^ilement  an  effective  securltv  program,  entities  need  to 
Diamlam  a  cfflnpiete,  accinate.  andup-lo-dateinventDiy  of  Iheir 


systems.  Without  one,  the  entity  cannot  effectively  manfige  IS 
controls  across  the  entity.  For  emiq>le,  eUective  connguiation 
management  requiTES  the  enti^  to  know  irtiatafHtems  they  have 
and  whetlter  the  ^sterns  ate  conBgurad  as  intended,  F'lirtliennore, 
the  inventory  is  necessaiy  i<a  effective  monltoiliig,  testing,  and 
evatuaCionof  IS  controls,  and  to  aiqiport  information  technology 
planning,  budgeting,  acquisitiDn,  and  management. 

FISUAreqioresthat  each  agency  develop,  maintain,  and  fiimunlly 
update  an  lnventoiyotni^rliifOanatlonsyhii'[Li^  ii[>i'ii^rt'il  b\  nn- 
agency  or  under  its  contFoL  0MB  Circular  A- 1-10  ilolini's  ,i  iii.iioi' 
mionnatim  system  as  a  system  that  requires  si)i.'ci;il  iimiui^cniont 
attention  because  ofits  importance  to  an  agency  iius^ion;  ils  liigli 
developiusit^  operating,  or  maintenance  costs;  or  its  significant  role 
in  Sie  adtniiusCtation  of  agency  programs,  finances,  property,  or 
other  lesoutces,  Ibe  liiveritoiy  must  Indude  IdeinSlcatlot)  of  the 

in'tw..ilis.  iiicludins  iiitcrfjK  i's  not  controlled  by  the  agency.  The 
i:     Inn  IS  [[■  il  li    'li  u  1  1 1  i  k  tlie  agency  systemsfOr 


Table  5  presents  control  activities  lor  critical  elanent  SM-1, 
techniqiies  that  ^titles  may  use  to  perform  the  activity  and 
procedures  for  auditing  the  cndcai  element  and  control  activities 


SM-1  Related  NIST  SP  800.^3  Controls 

See  the  tlist  control  for  each  bmUy  (e.»,  AC-1,  AT-1) 

PIr2  System  Secunty  nan 

PL3  System  Security  nan  I^xlate 

PLfi  Securi^-HelatedActivllyPlannir^ 

SA-2  Allocation  (rfBesourees  


Critical  Element  SM-2.  Period  ill 


developing  or  modltvlng  an  enuiv  s  securiiv  policies  ana  seeurttv 
plans,  ouch  assessments  are  mpoitant  because  they  help  make 
certain  that  all  threats  and  vubieiabilibes  are  identified  and 
consldeied.  that  the  greatest  iteks  are  addressed  and  that 
^^iropriate  decisions  are  made  legardii^  n4iich  risks  to  accept  and 
viach  to  nutigate  throogh  security  controls.  ^sirQpnate 
assessment  policies  and  procedures  should  be  documented  and 
based  on  the  security  categorizations. 

F18MA  eiqjlidllv  emphases  a  risk-based  policy  ibr  cost^tfectise 
security.  In  support  Of  and  rdnfordi*  Uiis  legislation,  0MB  Circular 
Ariau,  J^ipendix  m,  Semn^  fff  Federal  Automated  Inpmmmm 
Resources.  mttmsB  executive  agencKswithin  the  federal 
government  to  plan  for  security,  ensure  that  appropnate  offidalsare 


example,  both  loi^cai  aiio  Dhvsicai  j  neea  lo  be  assessed.  Ai:  me 
anphcation  level,  nsk  asessments  need  to  consider  speciiic 
business  processes  and  highly-Integrated  enterprise  resource 
planning  (ESP)  appUcattons  (diBCUBsed  In  Qiapter  4). 

Risk  asseBsmenta  should  consider  risks  to  dataconfidentiahty. 
integrity-  andavmlability-  and  the  range  of  nska  that  an  entt^a 
systems  and  data  may  be  subject  to.  Including  those  posed  by 
authorized  internal  and  external  userB,  as  well  as  unauthorized 
outsiders  who  may  tiy  to  break  into  the  ^ystemB.  For  exaoqile.  Bsk 
assessments  should  take  Into  account  observed  trends  In  the  dies 
and  frequency  <tf  hacker  activity  and  threats,  auch  analyses  snould 
aba  draw  oa  reviews  of  system  acd  network  ccnfiguiationB.  as  wen 
as  otiservatlans  and  testing  of  exlsdng  secuhw  controls. 


Oui  study  of  secunty  pmgtams  at  leading  o^amzations  Knmd  tliat 
the  following  were  kev  success  bictois  for  hsk  iisstssntents. 


btowledge  of  bisiness  operations  and  Uchniciil  aspects  of  the 

Hie  business  manageis  were  required  to  provide  a  fmal  sign-oft 
indic3ting  agreement  wiHi  risk-reduction  deciBKms  and 
acceptance  of  the  residual  risk. 

Organizations  required  (hat  fmal  documentation  be  forwarded  to 
morp  spmnr  officials  and  In  uitertial  audilon^  so  tjiat  participants 


trouble.  Thev  believed  that  tew  rehable  data  were  available  on 
either  the  actual  ftequencv  of  secunQ'  Inctdenls  or  on  the  full 
costs  of  cmtiols  and  of  damage  due  to  a  lack  of  controls. 


Risk  assessment  and  nsk  management  are  ongoing  effoits.  Although 
afmroal,  comprehen^'e  risk  assessment  Is  pertomed  periodically, 
such  BS  part  of  a  system  security  lian,  nsk  should  be  ctaisidered 
i«henever  there  IS  a  change  m  an  enliVs  operations  or  ils  use  of 
technology  or  In  outside  InfUtatces  afFedSr^  its  opeiatiaos.  Changes 
to  systems,  feahlies,  or  other  condilions  and  identified  security 
vukieiabilities  fdioukl  be  analjizedto  detennine  Hieir  impact  on  risk, 
and  (he  risk  assessment  should  be  perfoimed  or  revised  as 


necessaiy.  The  risk  asseesmenC  and  validation  and  i«lated 
management  approvals  should  be  documented  and  maintained  on 
£le.  Sudk  documentation  should  include  ask  HESESsmenta,  security 
test  and  evaluation  results,  secntlQ'  plans,  and  ^ropiiat« 
management  iq«>n>vals.  F\itther,  accoidliig  to  MST  SP  80037, 
Bystems  should  be  certified  and  accredited  befwe  being  placed  in 
operation  and  when  msjor  system  changes  occur. 


poterilal  effect  or  induct  on  ttie  ^ency. 

F\irther,  AHJoidix  m  trf  0MB  Circular  A-180  requires  that  agencies 
consider  li^  when  detennlnli%  the  need  for  and  selectii^ 
ctmpuler-rslated  control  techniipes.  However,  He  Circular  no 
longer  requires  tbimal  periodic  ridf  analyaea  that  attenqjt  to 
quantify  in  doliarB  an  annual  loss  exposure  resulting  from 
unfevoiable  events, 

Putsuant  to  FISMA,  NIST  developed  standards  for  secuiity 
categoDzalion  of  federal  information  and  information  systems 


acccicdingtoaiangeofpolenDatinqiadsCFIFSPid)  iS9),  Tatile6 
smnnuulzes  these  NIST  standards  using  potential  inipact  dcMtlons 
for  each  secunty  obiecOve  (coniiaennaiiU'.  uiietuitv.  ana 
vailabllUy)  Federal  agtn 

nation^  security  systems  accf  u-in.  i  iih-i'  .mun'i  i.  ■  i'K  ri 
should  certain  events  occur  i   -r  \:r  •  ■■  i-mi 


mfomiatjon  -  The  Pnvacy  Act  of  1974  sitA  the  pnvaey  provisions  of 
the  E-Govemment  Act  of  2002  contain     ni^or  requb^ments  for 
theprotectionof  personal  pnvacy  by  federal  agencies.  The  Pnvacv 
Act  places  Hnulatjons  on  E^endes  conecuon,  uiaciosnn-,  and  use  of 
peisonallnfonnationm^ntainedlnsvslpiii.'.oi  rH-nrm  min 
requires  that        agencies  establish  or  maKe  cnaiises  lo  ^svsieiii 
of  tecotds;  tJiev  must  notify  tJie  pubhc  uv  a  "svsi  nii-di-rci  oriK 
one    TleEMJoen     n  0 

iin>ic:<iii'Mi  iihr  [Kiisoiun  inioiiii.iFi'  III  in  '..'.I  >'  I'liiiNi'iii  iiii<  III  inn 

systems  or  information  tollcciioii.lv,  i,..|iiinnK  Mi:ii  ;i^cii(ics 


reviews  of  now  mformahon  abouc  mdrviduals  is  handled  withm  their 
agency  when  thev  use  InforniaUoti  technolcsy  to  collect  new 


mfomiation,  or  when  agencies  develop  or  buy  neiv  IT  systems  to 
handle  collecClon  of  peisonally  identiflable  infbnnation. 


of  privacy 
and/or 

penaltif  E  associated  vrilb  violation  of  the  relevant  statutes  and 
policies.  Further.  It  saga  Chat,  In  most  cases,  the  Impact  on 
confidentialily  for  privacy  inrormBtion  will  be  m  the  moderate 


CA-4  Secur%  CertiBcalion 
I       Seemly  AccrecHtation 

HA-2  Security  Catpgorization 


Securi^  contjol  policies  and  procedures  should  be  documented  and 
^ijiroved  t(/  nnanagement.  They  should  also  apptoprkitely  consider 
risl^  address  general  and  applicatiDn  controlSr  and  ensure  tliat  users 
can  be  held  accountable  for  their  aclims,  Coritrol  policies  and 
procedures  may  be  wiitten  to  be  more  general  at  the  enUQTvide 
level  andmorespeciiic  at  the  systems  (for  example,  specliic 
configurationB)  and  iqlphcation  levels  (for  exEunplc,  user  access 
rules  tor  ^>ecific  aHillcations).  For  exainiile,  access  roniroL  poUcies 
may  be  unplemented  at  the  entitywide  Level  tlirough  communication 
of  formal  written  guidance;  at  the  system  level  through  system-level 
security  software,  firewall  rules,  and  access  control  hsts;  and  at  the 
^phcation  level  through  veiy  specific  controlB  built  into  the 
^phcation.  Also,  a  foimal  sandions  process  should  be  estabUcdied 
for  petsonnel  who  &il  to  comply  with  establidied  IS  control  policies 


program  must  include  Doiicits  aiia  oroceaures  that  are  based  on 
Tdriic*ed  IhF 


lesponslbiLUes.  The  leim  K  aiso  iiseu  lo  rcK-rio  me  w(  i[ic 

broad  leveL  agencies  also  aeveioo  stanaams.  auiueLnes,  anil 
procedures  thai  oRer  useis,  managets,  anu  ouieis  a  ciear  approach 
to  implementing  pobcy  and  meeting  organizational  goals.  Standards 
and  guidetanes  specif  tedmologies  and  methodologies  lo  be  used  to 
secure  systems.  Standards,  guidelines,  and  proceduns  may  be 
luuiuuiguUHi  uiEuugiiuuLun  entity  via  handbooks,  regulalicHis,  or 
manuals. 


paiUcuhisecuniv-reiai^d  la 


Kirniijir  tu  H'liini'niN  rriiiv  ii 
procedures,  smce  they 


I  tien  Un;linil,ix«arullurHiu!lilfliiii]^  (.e.g.,  AU-1,  AT  I) 


Control  Techniques  and  Suggested  Audit  Procedures  for  Ciitical  Element  SM-3 


BfFoclne  securl^-related  peiEOimelpOUclea  are  cdtlcal  to  effective 
secuiily.  Ineffective  peisoimel  polldes  can  result  in  enqiloyees  or 
cootiactois  Inadvertently  or  Intentlonally  conpnanl^i^  seciirifi'- 


e^iample.  seamlv  may  be  compronused  due  to  an  inadequate 
undeislanding,  inadequate  secuitty  ttalnli^  or 
Teeimig  of  enq>lovees. 

as  program  should  be  in^lemented 
that  uicli]dea£rat-time  training  for  all  new  enqilorees.  oontraetora. 
and  useis?  periodic  reft«sher  tialnbiEfor  alt  enq>lovees. 


CirciilarA-liMj.     i       i  --'    .■.-.■■/■.r. 

Tedmolog  s 

addlQtxt,  emp  i     „  i      i  i      I  I 

receive  specialized  trainine.  as  described  in  NIST  SP  800-16. 
'Imormatiaii  Technology  SeBitraa  Tramina  BegTisremBBts:  A  i 
and  Perjbrmance-Basta  Model"  (ApiU  im).  Also,  see  5  CFB 
930.301. 

According  to  FISMA,  ar 


includes 
>rdy  ^encv  personnel  but  also  co 
Tuanon  avsiema  mat  support  the  ^encv  s  operaUons  and 
IS.  This  Irammg  musr  cover  CI)  information  secimty  risks 
ciaied  mm  usere  activllies  and  (2)  useis'  responstbUiUes  tn 
m  Willi  iiii'ncy  iiiillciea  and  procedures  designed  to  reduce 


these  lisks.  ITSMA  also  ij 
personnel  with  significant  respon^btMtles  for  tnloimatlon  securiQ'. 


ineirn.?iExinsiniiii,KM.  unii  (heir  ejected  behavior. 
1 11" cr  scciiriiV'TCLiKMi  iK^rsonnel  pohciesare  also  relevant  to 
iLiiihr:.  ii'iMijh;Liinri.  ji[i(i  I'rnpluyee  exijrrtihi^,  yre  ini|ini1an( 

an  entity  runs  the  risk  of  (IJ  liiring 
iiiiaiiaiiLicii  01  null  iisiwoi  thy  individuals;  (2)  providing  teiminated 

0  sabotage  or  otherwise  in^w  aiOj 
DDeraOons  or  assets:  (a  i  tailing  la  detect  contiiiuing  unanlharized 


SH-4,1  Ensure  that  resoncce  01 


FISMA  aiid  applicable  OMG  (e.i>..  0MB  Circular  A- 130)  and  NIST 
(e.g..  SP  guidance.  This  guidance  specificaLv  addresses 

secudCy-related  personnel  poUdes  and  procedures.  For  example. 
rvirTi  or  ouu-Dd  aooresses  personnel  secuncy  ana  comroiB  reisiea  to 
peisonnel  sci^ening,  t^iminalion  and  transfer,  and  Oiird-parU 
security. 


fillM  COIMLdlilLiaill.V. 

•  diBtnbuling  documoilBtion  describing  seoinly  policies. 

procediires,  and  users  responsibflities,  Incliiding  flieir  e^cied 
behavior: 

«  reqmnngiisers  to  penoilicallysign  a  statement  acknowiedgmg 
thdi  awareness  and  acceptance  of  le^Kinslblllly  fOi  seoidQr 
(including  tne  conseiiueiices  of  secnntv  viOlabais]  and  their 
lespon^bdibes  fbr  f oUomng  all  (sganizahoial  policies  (mcloding 
maintaining  confidentialiiY  of  passwords  and  phvsical  security 
over  their  assigned  areas  n  and 

«  reqmrmg  compiehensive  secunly  orientation^  training,  and 
periodic  re&eaber  programs  to  commumiste  secunw  gmdehnes 
to  both  new  and  exlstljig  enqdovees  and  contiactois. 

Leading  organizations  studied  considered  pramoUng  awareness  Co 
be  one  of  tne  most  inqjortan*  &ctors  m  the  nsk  managanent 
process.  Awareness  was  considered  to  be  e^MCiallf  mqmitant  m 


redudng  the  nsks  of  "social  engmeenng,"  Whete  useis  are  talked 
Into  revealing  passwords  or  oflter  sensitive  InfoimatiDn  to  potent 

thieves.  Educating  users  about  such  nsks  makes  them  Hunk  twlc 
befnr  n-  e  I  n  stri  n  K     h  m  n  ore  hkely  to 


ifmutLuiL'ni  nicssjt^Cb  lo  o^iain  peisouaL  or  sensitive  da^^aj  can  lead 
toiiifniiiv  iJicii,  imh<-i  sensitive  Inftimiatlon,  and  reduced  trust  and 
lee  o(  fieHrtiiiK'emeniment  services.  The  blending  of  these  threats 


SM-4.2.HWng,  transfer,  teimlnatlun.  'mi  iK  rfoniiiimc  imlides  address  securilv 

and  human  i-esoiu  ces  pohcies  and  procedures!  that  should  generally 


Implementing  regulatlims,  consistent  with  the  sensitivity  of  Qie 
posiluii,  per  cntena  frrm  the  OfGce  of  Personnel  Management 
I  Individuals  are  screened  before  thev  are  authorized  to  have 


•  A  fonnal  sanctions  process  enfbrccsCi 
ratings  for  mdividiiEd  enipK^'ees)  con^liance  with  secun^ 
policies  and  procedures, 

•  Compensation  and  recogmtaon  areappropnale  to  promote  high 
morale. 

•  Whete^pi:ipriate,temilnatlonandtiansl^proceduteslnclude 

•  exit  interview  procedure^ 

•  return  of  property.  Budi  as  keyfi,  identification  can^  badges, 
and  passes 

a  notification  to  aeciiQly  management  of  termmations.  and 
prompt  temunatron  of  access  to  the  entity's  resources  and 
fai^ilities  fmchidm^  paaswords); 


En^ilDjrees  hare  adequate  training  and  eipertise 

Management  should  ensure  8iat  enqiloyees — including  data  onneis, 
fiyatem  users,  dalaprocessing  personnel,  and  aecunlyiiianagement 
peisomiel-^iave  the  eiqiertlse  to  can;  out  their  InfOnnadon 
secuiOy  responsibilities.  To  accomplish  this,  a  securil;  trainhig 
program  should  be  developed  that  includes 


•  job  descrflltions  that  mcluric  (lie  cdiK-adoii,  i'\|inicii<-r.  and 
expertise  reqnuBd; 

•  penodiCEdly reassessing  th.'  .i.li'.jivi'  -.  .ii         i- 1  ■  ■■  -,1.  Ik. 

•  annual  Owning  requuemeni^  ncul  i)ri>li'!.sii)iLitl  iU'M'IdihilceiI 
progtsunsto  help  make  certain  ihal  raiplovf^fs  skills,  esiii-uiall; 
technical  Ekdls,  are  adequate  and  current:  and 

•  monltoijiigenployeettalnlngandpTofessioiuil  development 


3M-4  Related  NIST  SP  80(^53  Controls 

AT-2  Secuilty  Awareness 

AT-3  Securily  Training 

AT-4  Securily  Trainbg  Records 

PL-4  Rules  of  Behavior 

PS-1  Personnel  Secnriry  Policy  and  Procedures 

PS-3  Personnel  Screening 

PS-4  Personnel  Termination 

PS-5  Personnel  Transfer 

PS-6  Access  Agreenienls 

FS-7  Third-Panv  Per«innel  Security 


I  Techniques  and  SiBgesled  Audit  Pro 


iiMoiiiKLiioii  scKiuniv  [rn>k:iJiiM.  iio^i'viir.  di'culjsc:  SLiruiiiv  iioi.  ;mi 
eiHi  in  iiseii,  seriiiir  ii^uuiger^isiioijia  ii;iinri<ii'  me  eiri|Mi:if«iN  on 
securtty  wilh  the  larger  otilecBve  of  acMevii^  the  agency'a'enUty's 
nuEsion.  To  do  this  etIectiTelS',  top  manBgemeiit  should  understand 
the  agaicy's/enti^s  securilf  ricdis  and  actively  siqiport  and  mmiilor 
the  effectiveness  of  Its  security  policies.  If  serdor  management  does 
not  monitor  the  fiecurily  program,  it  is  unlikely  that  others  in  the 


oi^ization  wai  be  committeil  to  properly  implementing  it. 
Monitotitig  is  one  of  GAG'S  five  intemaJ  control  slanaanls. ' 

Over  ttoie,  policies  and  ptoeedures  may  become  Inaflequale  because 
of  dianges  in  threats,  changes  in  operations  or  deterioration  m  the 
degree  of  compliance.  Periodic  assessments  are  an  important  means 
of  identilVtng  areas  of  noncotnpliance,  reiulndltig  eropiovees  ol  tjieir 
lespoiisibilities.  and  demonstrating  management  s  commitiuent  to 
the  secunt;  plan,  uich  assessments  can  be  performed  by  entity  staff 
orbv  external  tevteweis  engaged  nv  management  Independeni 
aiubts  performed  or  arranged  bv  tiAO  and  bv  agencv  inspectois 
general,  while  an  in^itant  check  on  managemeni  performance, 
snould  not  be  viewed  as  substitutes  for  management  evaluations  of 

FlsMA  requires  federal  agencies  to  perform  periodic  testing  and 
evaluation  of  the  effectiveness  of  mfbrmaQonEecimtypohcies. 
ptoeedures.  and  practices.  FTret,  agencies  miet  provide 

mm.  reportLg^Sa^  (M-03-191  has  noted  that  annu^^SMA 
te^jng  does  not  aicer  OMB's  policv  reqiming  svstem  reauthonmtion 
(certificaaonand  accreditation)  at  least  every  3  years  or  when 
^gnilicant  chains  are  made." 

aecond.  FlbMA  reqnires  annual  independent  evalnations  of  agency 
mformatiDn  aecui%  programs  and  practices  to  deiermine  their 
effectiveness.  Independent  evaluations  of  non-natiDntd-secuntv 
systems  are  to  be  performed  by  the  agencrs  Inspector  tjcneial  or 
bv  an  mdependent  external  auditor  chosen  bvthe  IG.  if  any.  or  bv 
the  heau  of  the  agencv,  u  there  is  no  agencv  IG,  EvalualiDns  related 
to  national  security  systems  are  to  be  performed  oidy  bv  an  entity 
des^nated  by  the  agency  head.  These  mdependent  evahiations  must 
lest  the  effectiveness  of  control  techniques  for  a  representative 


<  Depth  and  breadth  of  tcs 
snoula  be  based  on  a  cor 
magnitiuJe  01  nami.  me  r 


siiijiiin EKisHi'^^: fiiuririiM'iriii'  ii' 
properly  petionneo  mio  resui 
controls  lor  whicn  ttiev  aie  re 


umciiciinmr  evniiiai.ioii 

An  uuegFBted  testing  plan  or  s 
efficient  periodic  testing,  wiui 
Btrategy.  like  nature  and  exten 
□r  testang  mas'  be  raefficient. 


by  someone  tijlng  to  obtain  unauthorized  access.  Vulneiabili^ 
assessmenls  dually  consider  botn  unHuOioiized  access  br 
outsideis  as  weu  as  Mdeis.  vtilnerablilty  assessments  typicauy 
include  ine  use  or  vanoiB  toois  discussed  lu  Taoie  lO  beiow,  sucn  as 
scanning  Tools,  password  ciackeis.  and  war  dialing  and  war  driving 
tools.  Also,  vulnerat>ili^  assessments  may  Include  penetration 
testmg.  Vulnerability  assessments  should  be  perFonned  in  addition 
to  testiuB  individual  access  controls  and  other  control  categories. 

Smce  the  methods  used  for  unauthorized  access  var;  greatly  and  are 
becoming  more  si^histicated,  the  vuMeiabilSly  assessment 
techniques  defined  here  are  general  in  nature  and  should  be 
supplemented  with  techniques  and  tools  ^eciSc  to  the  ^edCc 

Hie  effectiveness  of  management's  security  testing,  Includii^ 
vulnerability  assessments,  may  aSect  the  auditor's  jutfemaiB  about 
IS  riskand  conaeifiently,  the  nafore,  timing,  and  extent  of  audit 
testing.  Faetfas  to  consldef  In  assessing  the  ePtecliveness  of 
management's  testing  include: 


•  the  nature  of  manfieemenfs  testing  (the  tifpes  of  testing 

management  applied,  the  strength  of  the  evidence  obtained,  the 
eqierience,  c^iabililies,  and  objectivity  of  the  persons 
pCTfoimingthetesting,  and  the  quality  oldovNriLi  iLiAi  11111  iil 
testing), 

.  llietimingaTmanBgan«U^ste9tii%(thi' J  '    I'l     iiir  i. 

The  auditor  should  review  management  vulneraMlity  assessments 
and  may  independently  peilbnn  thetr  own  vutaieiabUl^  assessments 
to  detemiine  whether  management  vulnerability  assessments  are 


entity  based  on  a  cost/iisk  Jiiialj'sis.  Auditois  may  need  to  conduct 
these  1>1J0S  of  audits  mthoul  tools,"  because  some  audited  entities 
will  not  waiil  to  arcepl  the  rfek  of  an  auditor  running  tools  in  a  "live" 
environment.  There  generslly  should  be  an  agreement  between  the 
auditor  and  the  audited  entity  on  the  ^pe  of  testiog  to  be  conducted 
(Intrusive  or  nonlntiuslve).  Section  3. 1.9 J*  "Commanicatimt  with 
Ena^F  Man^ement  and  llHse  Charged  wlOi  Govemance'  provides 
further  guidance  on  conm^unicating  the  nature  and  extent  trf 
planneri  tesliiig  wllh  thp  entity. 

Due  to  tlie  highly  Icchnital  luitiirc  of  such  testing  bythe  auditor,  it 
should  be  perfomied  by  peisons  possessuig  the  necessaiy  technical 
skills  (e.g.,  an  IT  specialist).  See  Appendbi  Vtbr  additional 
infoimation  on  the  Knowledge,  Skills,  and  Abilities  needed  to 
perBjnn  IS  control  audits.  Also,  section  2S2  'Antomated  Audit 


loois"  isovides  DDther  guioance  on  Qte  auditors  use  oi  testing 
tools.  Audit  testing  is  discussed  further  In  connection  irich  ACM.  1. 

Itiere  are  sevetal  dUteienl  types  oi  secuiily  testing,  aome  testing 
tecluuques  are  predmunantly  manual,  Tequim^  an  mdiviauBl  to 
miOate  and  conduct  tite  teat  Other  teEIB  ^  highly  auiranated  Bna 
lequlre  less  human  uivoh'einenc.  Testing  mav  also  be  conducten 
inmi  i'ifci4^rii;ii  coiiiicc'iiriiis  i  Mhr  i'>:riini)ic'.  iKim  inc  iiiii'nu'i.  rirfii  ijii. 


netw  ttdng 
n  wingaip 

p^vNiifrrLH.  oiHTJLLiiii;  hvsii'ims.  iii'iiiifjihihiiikijuhj  iic'iwiri'j^inu  i)r<M<H'ciL 
(such  39  Transmission  Control  Piotocd/lntemet  Protocol  (TCP/IP) 
-  vhich  is  a  lowHevel  cconmunication  pratocoi  that  aiiows 

labie  lOsummarfeeslypes  01  securily  resting. 


However,  since  peiietralion  wsUng  requires  eiiecfiive  planning  and 
ifxttcTii'iic'ifM  .sum  in  citniiui^i..  iih'  liuiiiinr  i.vitKiuiiv  iioitHicii'rs  ^ii'V(t;li 
lai^iiiiK  nriorr  aoirKiuuiin  ncrnonii  iiiis  lOAUiir..  l  oi  ex;iiuni>'. 
peneUatlon  testing  may  be  a  desirable  tesClng  ouuon  when 
significant  changes  have  been  made  Lo  me  entdy'anetmirlt  ie.g. 
ungrades  lo  server,  roineis.  swlicnes,  networK  software  >.  mere  are 
no  receni  penetration  tests  petfOimed.  oi  results  oi  lecenC 
peuelzBtion  leslmg  laeatiGed  sigaificant  secuntv  weaknesses  that 
management  leniesemed  were  substantially  corrected,  uonveiseiv. 
tC  recent  Independeni  penetration  testing  disclosed  lew  secorltv 
wiiiiKiHF^ihmiM  ifirs(innif  iirid  ii'WA  cm  UFSi.ina  iKdniiFninrKMi  m  im; 


auAtor  to  be  sufBcieM,  llien  the  use  of  othet  Qpes  of  testine  niay  be 
more  ^propdate. 


Odwr  tools  that  ma;  be  used  Indude  ^^clal^  scanning  tools  Ctor 
exBit^e,  apphcatioa  cods,  Web,  dBtabase,  SNMP^  host  data 
eitraclnm  toolG,  packet  analyzeiE  or  sdiHeis  (for  example, 
ethereal)'  and  patch  assessment  tools.  Separate  patch  assessment 
tools  are  more  rebable  than  vulfierabihtv  scanneis  for  this  purpose. 


When  tinplpiiii-iiili 
required  bv  FIS,.| 


.  -il.i:  ■■  irili'iiHn¥Steins,as 

.1]  .1  .  i.'  :  L.i:  ayi'CLient should 
■       ilii  pliiii^iiiaccoidance 


develop  aiitJ  I  l(>i  iirin'[ii  h|)|ji(j|iii:i[p  leatmg  policies  and 
procedures  r(-\-i'lsj, 

teat  and  doniiiieut  hec-iini  v  rontiols  related  to  each  mmor  ayslan 
at  least  annually  (svslcm  level j, 

ensure  tliat  the  frequency  and  scope  of  leslnig  ls  rommensiirale 
vlthTlsk  (all  levels),  and 

employ  aEitomated  mechanisms  to  venfv  the  concct  opciadon  of 
security  functions  when  anomalies  are  discovered  (system  and 


hi  iiddilion  to  the  nSM\  provisions  in  the  E-Govcmment  Act  of 
SLttlon  a08  reiiiiires  that  agencies  conduct  piivacv  impact 
assessments.  A  privacy  impact  assessment  is  an  analysis  of  how 
mfoimahon  is  handled  (1)  to  ensure  handling  conforms  to 
^hcable  legal,  legulatoiy,  and  policy  reignremenls  regarding 
pnvacn     to  oeieimme  tne  nsiis  ana  eirecB  oi  couecong, 


IS  and  altentstivE  processes  for  liandling  information  to 
m  ran      M-{&22  OM 
I  ijip  PL-Ill   :iiiiiir!ii  repoWdng beglimli^ ln 

r ;;()"■.?<  Aiii.i  ■,  II  nr,  ibi 

MB  lias  de\  elcjped  peiloiiiiance  measures  for  federal 
Boninii  aiia  remures  uiai  agencies  ctovide  oiiartei*' 
iiti'  iimint  uixiinw.  I'ui'  iiKamrjiy,  ont  siitu  niKisuni 
ii>'  iiiiiiiiicrniAvRiciiin  loi  Hiiinifiiviirii.v  niiii.rois  ii^iip 
^d  and  evaluated  in  the  past  year.  NIOT  SP  80I>6B  providi 


leinii  iiM' iiiui.  A  11.111 1  null  nm  n.uuniu.  ii.  woiuu  mi  !ii;iin>iiriiiiii  iiiran 
agerK^  u>  oeacnbe  its  evaluation  program,  mciuding  tiie  expected 
lype  oi  testing  and  freiiuency  of  evaluations,  m  lis  securi^  plan, 
CAii'univ  Eti»itis  mi\ mwussi'xi  in  (Tii.Kifti  ciiirniiii  ni^-i.  i 

uMB  also  requires  tnal  a  manaGemeru;  offlcial  aumonze  m  writing 
!he  use  of  each  general  support  system  and  m^  application.  NIOT 
SP  890-37  refere  to  tliis  authorization  as  accreditation,  0MB  Qrcular 
A-iiHi  allows  seu-reviews  oi  controls  lor  general  support  svsienis. 
Mill.  riKiiim's  nil  iniiiiiHiiiii'iii.  n'vieiv  or  iiiiiin  iii  iib'iiorni>njinii.ii>nH. 
Hie  auChonzations  or  accredilaCiotis  are  lo  be  provided  bv  ine 
pn^ram  or  functional  managers  iriiose  missions  are  supported  by 


the  fuiiomated  sjisteniE:  ateae  repieseni:  the  manageis  e:qihcit 
acceptance  of  risk  based  on  tjie  results  of  any  seemly  revleirs, 
mcluding  those  perfbrmed  as  part  of  Gitanoal  statranent  audita  and 
durii^  related  lek  assessments.  Additional  guidance  on  acctediUi^ 
fedeial  automated  systeros  can  be  found  In  NIST  SP  80(K37.  Guftte 

Inpyrmaaon  swsiems. 


bi  F  gencies  o 

Melated 
othe 


inOestones  should  b«  develc(«d  based  <m  findings  &om  secunly 
cuibol  assesEomits,  security  lnv>act  analjiKS,  continuous  monltoilng 
of  aclivili^  audit  FqKirIa,  and  odier  sources.  P«  iederal  agaioES, 
sucli  plans  ate  t^erted  to  as  Bans  <f  Actions  and  liDlestones 
(POAMs).  When  consldeilng^ipropdate  collective  actions  to  be 
taken,  the  entily  should,  to  the  extent  pofisdile,  cxinsids  the  potennal 
imphcatjons  ftuoughout  the  enhtv  and  design  appropnale  corrective 


addllsSnglhi'irlMi-l  i  i.  ili'ii  ■.  '.I.m        ■■u'  '.I r ■III; I  r,  ,■  in 

oTmanageis  nsk  iiiaiiageiiieni,  respoiisibiliues. 

FI&MA  spedfleallv  requires  that  agencywlde  tnToimalion  securiOi 
pn^rams  include  a  "proceaa  for  plannmg.  nnplemenUng,  evaluatn*, 
and  documenting  remedial  action  to  address  any  deficiencies  m  the 

agencv."  Further,  aj^encies  must  report  on  the  adequacv  and 

annua)  reports  to  0MB,  (ingress,  and  GAO  and  m  annual  budget 
and  management  plans  and  reports.  The  latter  include  reporting  a 
FISMA  '^igmficant  deficieiu^  m  mfomiatKnaecuRQ'  as  a  material 
wealcness.  Govemment  PecfOnnance  and  Results  Act  peifOmiance 
plans  must  describe  time  periods  and  resources  needed  to 
eCectuate  a  nsk-based  program. 


SM-^  Related  NISTSP  801^63  Controls 


CA-6  Flan  ot  Action  and  1 


Cmmil  Teclmiiiues  and  Suggested  Andit  ProcedureE  for  Critical  Element  SM-fl 


(6)  conneciivitv  agreemenis,  1 1 1  inuividual  accountabiBw  (Sw 
exan^e.  expectations,  remedies).  (8)  audit  access  and  repordi^ 
(9J  lemiinauDn  procedures.  (10)  secun^  awareness  tramn^  (11) 


tequiKmenis  delinfhot 


KISMAiiirurr 


Govemmentalaiulpr 
!LI)Itlir!ll.ll>TLS  iiriM  imvi 


rSA-9  Eaemal  hfOmialion  System  ServiceB 
CoDtrol  Techniques  and  Suggested  Audit  Procedures  for  Critical  ELement  SM-7 


3.2.  Access  Controls  (AC) 


iiCCI'SS  rtjItllOL^.  MliaUUIL>ll>;i!CJ  lltUIVIMIiaLS.  IIK'IMUIIIUOIIISKJt! 

mtruoeis  ana  iCHmei  empiovees,  can  siui«plitiousiv  i«ad  and  copy 
sen^tiTO  data  and  make  ond^ected  cnaiges  or  deletions  lor 
maliciou3  puiposes  or  personal  gam.  In  additiai.  aulhcsized  users 
can  mtenUonany  or  unlntentlraial];  read,  add.  deiere,  modU!;.  or 

auuionly. 

Ar^ir(!hH<^nni,nH  iioiiirii^iiric]  iinh^ifMnn^srifMiiii  ix}  loniviiiv 
developed,  documented,  dlsseminai^d,  ano  penodically  updated. 
Policies  should  address  purpose,  scope,  roles,  responsibiliR',  and 

l^llllllllfllh^lf  IhHlKWl  OnH't^lMIIISSIIoMICI  I^IC'll  ILhiMlhMI  I1[ML'I  L(  il 

oithepoucvandassodateaacrcsscoTiirofc.  .msi  ftfwjini 
provides  guidance  on  secuni.vooiioie^  araj  nmreimres.  ii  rs 
iiirKiiiiMi^iiijii  inju.  roriinhi  i4'riinii]iJL'S      rKiiit  lOkiirni  jinci  imivsicim 


For  access  controls  to  be  effective,  they  should  be  properly 
authorized,  implemented,  and  maintained.  Fiist,  an  enti^  shoLjld 
analyze  the  re^onslbllides  of  Individual  computer  tseis  to 
determine  what  type  of  access  (for  example,  read,  modi^,  delete^ 


nseis  need  to  lOliill  Qieit  responsibflilles.  Hied,  snedSc  control 
techniques,  such  as  SDedalUed  access  control  sottwaie.  snould  be 
iihitii'nH'iiicTi  1(1  ic'sirin  iirrc^s  lo  inc^n'  riiii.ititri^ifM  iiinr^unris  ]iimii\ 

rs(ic-iiM)ir\i;ii-iMriii  Di'li'icd  In  iiiiiii  :i  ii'iprB  activities  associated  With 


lUes  10  conceal  auieft  of 
I  to  make  astial^ic  pdBcy 
iieisonal,  conuneidal,  and 


Mriruiiii(]ii/4'M  :i<'ri>ss  i.<i  iw  jjikiiiir: Lilian.  iiit;iMiii4>ii7HL'4i 
chancES  lo  mese  programs,  or  inCroduce  maucious  oroL^rsms. 
which,  in  turn,  coiud  be  used  to  access  am  Dies,  resuiuiMJ  in 
situaCions  sinular  to  those  just  described,  or  me  processing  ot 
unauthorized  transoctionB.  For  example,  a  person  could  alter  a 
payrou  or  payables  prt^iam  ro  irugipropiiateiy  generate  a  check 
fOthim/heiself. 

I  Dv  obtamir^  access  to  ajatem-ievei  resources,  an  mdwidual 
could  circumvent  secmliv  contiob  to  lead,  add.  delete,  modlly. 


orexElCrate  critical  or  sensitive  business  mibmiation  or 
piograms.  F^uthei.  authorized  users  Could  gam  unauthorized 
ihiiviu'L^c's  i4M'nitMMC'i  iJiLiMiniiri/j'ci  jinii>ri.>^  4kr  icM'in'urtivi'ni  i'Mii!4 


The  oyeeUvts  of  llmltii«  access  :irp  lo  eiLstire  i  luii 

•  outlets  iior  ^cample,  hackeisi  cannot  g:dn  unaattiorized 

access  to  uie  entity^  ^istems  a  data; 

•  authorlzea  useis  nave  onu  tne  access  needed  to  perform  cneit 


i>  very  lew  individual^ 
ri  iHMiorTninu 

)nd  their  responsiMllty. 


If  these  ohjectives  are  met,  the  risk  of  inappropriate  modification  oi 
uiM^itihurtr  OI  fvuit  can  oh  nFciuci'n  wii.iioiii,  iim'iitiiiitu  wiiii  iiserh 
practical  needs.  However,  establishing  cne  ^uioprlate  balance 
between  uaeraeedsandsecurdy  requires  a  careful  analysiB  or  the 
cnDcaliljF  ana  sensitivily  ot  imonnation  resources  available  and  uie 
tasks  peifonned  bv  tisets.  Access  contFois  also  appivioaltemaie 
worKsitescrorexanque.  employee  residence  orccntractoriaciuwi 

In^iemerttnig  adequate  access  controls  involves  first  determinn^ 
what  level  and  tae  ot  inotection  is  ^proisiate  tor  individual 
resources  based  on  aiisn  assessment  and  on  who  needs  access  lo 
mese  resources.  Hiese  tasks  dionld  be  performed  bv  the  resource 
owners.  For  example,  program  managers  should  oetennme  how 
valoable  dieir  program  data  resources  are  and  yilet  access  is 


^^iropnfile  for  peisoimel  who  must  use  fui  automated  system  to 
eam"  om,  assess,  and  rewoit  on  progiam  opeiatlons.  StmUarly. 

raanaseis  in  chaige  of  si'stems  development  and  modification 


decide  noi  to  teqiure  viseis  lo  petiotueallv  cnange  passwords  tor  e- 
mail  because  mitial  entty  to  the  s^temi&lies  on  a  two-^clor  token- 
based  auttienticalion  Qiatem.  Ol3>er  entities  m^  reb'  less  on 
boundaty  pratection  but  place  more  ^t^ihasls  on  audit  and 
monitoring.  Accordii^,  the  collecOon  of  controls  used  wiH  vaiy 
from  entilj  to  enti^. 

Hie  sis  critical  elemenis  for  access  conlmls  are  described  here. 


rocesses  acting  on  behalf  of  useis. 
ices  are  idenliGed  and  autfienticBted  by 
or  eKampie.  useis  identlOes  may  be 


resound  based  on  the  idenCUiv  of  aie  uaei,  service,  or  device. 
Saaihve  ei/atem  rtaowces.  CtmlioU  over  sensilive  ^istem 
resources  are  designed  to  ensure  ttie  confldentlaUtv.  integrltr. 

and  availability  of  system  data  such  as  passwords  and  keys 


Critical  Element  AC-1.  Adequately  prot.oct  inronnaHon  sysloni  bciuiicliirii^s 


networks  and  conltols  conneetivtly  lo  and  ttom  network  connected 
devices.  At  tlie  entitywide  level,  access  control  policy  is  developed 
and  promulgated  through  procedures,  ruamialB,  and  other  guidance. 
At  the  system  level,  any  conne<:tlons  to  the  Internet,  oito  ofltei 
external  and  internal  networiis  or  information  systems,  should 
occur  through  controUed  interfaces  Cfor  example,  proxies, 
PS(C'*PV«,  rnulero  fliii)  switfh<«,  drpursNi,  snrf  mtiroimatoisl,  At 
nosl  or  ilevKV  ievel.  Logical  boundaries  can  be  controlled  through 
inbound  and  ouibound  tiltcnng  provided  bv  access  control  hsla  and 
peisonai  lirewalls.  ai  me  application  level,  logical  boundaries  to 
business  process  ^phcations  mav  be  controlled  bv  access  control 
hslE  m  secontv  software  or  vilhm  tite  ^hcatuBis. 

Implementing  multiple  layers  of  secuntv  jo  protect  mfurmatjon 
system  internal  and  external  boundaries  pravidcs  nefense-in- 
DepllKdpscribpd  eailier  in  Adihd.jiiiil  IS  Kisk  Accorduigto 


.li.JIIUllll   I.   .'llli.llll'l  lllI>lV!lll<  Id 

to  limit  emidoyees'  access. 

In  addition  to  deployii^  a  seiies  of  securi^  t«ch»olo^es  at  muUjple 
layers,  deploying  diverse  technologies  at  different  liters  also 
nuugaEesuie  risk  of  successful  i^ber  attacks.  If  several  different 
technolo^es  ate  deph^^  betiveen     adveisaiy  and  file  targeted 
system,  the  adversary  must  overcome  the  unique  obstacle  presented 
byeachofthetecliDolo^es.  F<ff  example,  firewalls  and  iotnision 
detection  technoli^es  ran  be  deptoyed  to  defend  a&lnst  attacks 
from  Ifae  Internet,  and  antivirus  soBware  can  be  used  to  provide 
integrity  protection  for  data  transmitted  over  the  networfa.  Thus, 


Def^nse-m-Depth  can  be  efcediveli'  inqdemented  Ihiou^  multiple 
seciiilty  measures  among  hosts,  local  area  networks  and  wide  area 
networks,  and  the  Internet 

Defense-in-Deptli  also  entails  implementing  an  appropriate  network 
configuration,  which  can,  in  turn,  affect  the  seleclirai  and 
tmplpiiientslion  of  cyljerseeuilty  technologies.  For  emnple, 
conlii^unnfi  the  entity's  network  to  channeT  Internet  access  through 


AC-1, 1.  ^pn>pdately  control  connecttvlQr  to  system  resources 

Useis  obtain  access  to  data  flies  and  softwaie  progtams  through  one 
or  more  access  paths  thrtmgh  the  networks  and  computer  hardware 
and  software.  Accordingly,  to  ingilanent  an  approprlMe  level  of 
security,  it  Is  Important  tliat  the  entity,  to  Che  extent  possible, 
ident%,  document,  and  control  all  access  paths.  Rulher, 
coonectiTily  between  ^istems  should  be  ^)proved  only  nbea 


apptopaMe  Ibv  entity  manftgemeni.  ijonsiaeraiion  should  b«  given  i 
the  dsk  and  coirestmnamg  saTeguaids  needed  ro  Droiect  sensitive 
data.  NISr  ay  80IMT  provides  guidance  on  interconnecdnR 

Networks  should  lie  ^pronnalelv  conliCHrco  lo  adcaiialclv  Droteci 
access  Daths  between  svsrems  ami  consider  me  pMSiine 


the 


^stem,  Uie  type  of  device  from  which  they  can  access  the  system, 
the  software  used  to  access  the  system,  the  resources  they  may 
access,  me  system  on  wiucn  uiese  tesoiitces  reside,  and  iiie  modes 
of  operation  and  telecommunications  paths.  Hie  goal  in  identl^ii^ 
access  paths  is  to  assist  m  laenO^ing  the  points  tram  nbica  system 
resources  could  be  accessed  and  the  data  stoi:ed— points  that, 
inerefbre,  must  be  controlled.  Specific  attenlioo  diould  be  given  lo 
"bacKOOOr"  methoils  ot  accessing  data  bv  operators  and 
pn^iammers.  As  wlin  other  a^«cts  oi  risE  armly^.  ine  access  path 
diagram  d)ouid  be  reviewed  and  i^Kjated  **enever  any  changes  are 
made  lo  me  system  or  id  Ihe  nature  oi  tne  program  and  program 
flies  maintained  DV  the  system. 


progtams,  or  pasaword  faea.  snouid  tbis  h^pen,  managers  will  have 
an  Incomplete  undeistandli^  of  the  risks  associated  vnat  their 
systems  aod,  tlkemiore.  may  make  erroneous  risk  manai;emeni 
decisions, 

CormecQiig  to  the  Internet  presenlG  a  muitiiiKic  iit  viil]k'i:ii)iiiiu>;  tor 
an  entity  due  to  trie  Internets  potential  aovss  lo  luiiioiiMn  m  uDie 


HuthenUcating  infoimation  generated  by  the  mtt^roprocessor  and 
comnmnicated  to  the  ctxitputer.  Encryption  Is  often  tised  to  protect 
the  confidentialily  oF  remote  access  sessions  and  is  extrentely 
in^rlant  to  protecting  wireless  access  to  information  systems. 

Infmnation  systems  m^  identic  and  authenticate  specific  devices 
before  establtefalnea  contectiDn-  Device  authentication  Qplcally 
OSes  eUti^  diared  known  infoiraation  (fbr  example,  rnetBa  access 
control  or  transmission  control  program^hitemet  protocol 
addresses)  or  an  organizational  auSientiaition  sokitkai  to  identit)' 
and  authenticate  devices  on  kjcaland  wide  area  networks.  Thie,  it 
13  ingHStant  fbr  the  auditor  to  identn^  the  controls  over  devices  that 
provide  this  ftpe  of  protection. 

Eknetging  threats  from  the  Internet  (for  ratample,  ^lani  and 
^jyware)  require  new  and  updated  protection  mechaniams.  The 
enti^fdioukl  engiloy  spam  and  spyware  piotection  m 


cdtical  infbrniation  system  entiy  points  (tot  esaraplx,  SiewaUs, 
electronic  imdl  seivem,  remote  access  servers)  and  at  vorkstadons, 
Bervers,  of  mobile  cranputtng  devices  on  the  network.  Consldeiatlon 
Siould  be  glron  to  Ufing  qiam  and  software  ijroltdion  prodiitts 
from  multiple  vendors  (for  ejrans>le,  using  oncipniiorliirboNrLilaiy 
devices  and  anoflier  vendor  for  woriistatloiis}  (o  |>TO\ide  addi(ion:d 
layers  of  deCfsse.  It  Is  Edso  Important  10  teiilinllyTiiiiTiagi'spLini  and 
software  protection  medianlsms  and  to  have  the  system 
automatically  opdate  these  mechanisms. 

Depending  on  how  access  control  techrdcpies  and  devices  are 
incremented,  they  can  be  osed  to 

•  veil&teimltialldenllflcatjonstonsttictaccesslhroughQiecific 
termloals, 

•  verl^  IDs  and  passwords  for  access  to  specific  ^vllcationE, 

•  ctmliol  access  between  telectaraiiunlcalions  ^stems  and 
terminals, 

«  restrict  an  ^plication's  use  of  network  fkcUMes, 

•  automaticallf  disconnect  at  the  end  of  a  sesGlcn, 

•  provide  networit  activiQr      that  can  be  used  to  monitor 
network  use  and  configuration^ 

•  allow  authorized  osers  to  shiil  down  uetworkcompiaienls, 

•  monitor  dlatln  access  to  the  system  by  morutoring  the  soorce  of 
calls  orby  dtsconnectingand  then  dialing  back  lEers  at 
pieauthoiized  phone  numbers, 

«  restrict  in-house  access  to  communications  software, 

•  control  changes  to  communications  software,  and 

•  restrict  and  monitor  access  to  telecommuDlcatlons  hardware  or 

ftlMlWI'-H. 

As  with  other  access  controls,  to  be  effective  remote  access  controls 
dKmld  be  properly  Irnilemerrted  in  accordance  with  aniltorlzations 
that  haie  been  granted.  In  addition,  tables  or  Esls  used  to  define 
security  limitations  should  be  protected  ftixn  unauthorized 
modificaticji,  and  in-house  access  to  communleations  securi^ 
software  fdiould  likewise  be  protected  fnim  imaulhoriied  access 


and  modiEcatioii.  Dial-m  phone  numbeis  ^uld  not  be  polfliShed, 
and  duuld  be  changed  periodically. 

An  undetstandtng  of  Ihe  svstein  and  netvrork  configurations  and  the 
control  techiuquES  (hat  have  been  implemented  ts  oecess^  to 
assess  the  nsks  associated  with  external  access  Ihrou^ 
telecontmunlcatioiis  neiworks  and  tlip  effectiveness  of  related 
controls.  This  rs  hkelv  to  reciuire  assistance  frtan  an  auditor  with 
qwcial  expertise  m  conuntuucations-related  controls, 

Cormectivr^  snouid  onlv  be  approved  when  appropriate  to  perform 
assigned  offlrtsi  duties.  Siarnnrarir  iliteals  arp  posed  bv  portable 


ui  „      J  I     u  ode 

updating  vinis  protection  software,  scaiinuig  for  cnOcai  software 
updates  and  patches,  coiduclmg  pmnary  rjwratmgsjstem  (and 
IKisslbly  ottier  resident  software)  integrity  checks,  and  disabling 
nrmecessaiy  hardware  (for  esarr^le.  wireless).  Seciirily  controls 
mclude 

•  usage  restncQone  and  mgiianenlation  guidance, 

•  authorization  Ity  qipropriate  organizational  offldals,  and 

•  documenlatiaiandmonitonngofdeviceACcesstoaitily 
networifs. 

TTie  entH?  should  also  establish  strict  terms  and  conditions  for  tlie 
(Be  of  personally-owned  infonnation  syal«iis.  The  terms  and 
conditions  stiould  address,  at  a  nuiumum:  (1)  the  tvpes  of 
^^jilicatioos  that  can  be  accessed  ftom  peiaonally-owned 
informatirai  sjstems:  (2)  the  majdmum  FITS  199  security  category  of 
mfoimation  that  can  be  processed,  stored,  and  transmitted;  (3)  how 
other  users  of  the  personally-owned  infomiation  system  will  be 
prevented  from  accessmg  federal  infoimatiom  (4)  the  itse  of  virtual 
private  networkmg  and  £iewalj  technologies;  (5)  the  use  of  and 
protection  gainst  the  vulnerabihties  of  wireless  technok^esi 


(6)  ttemajnlenance  of  adequate  pliirsicfdsecuntvcontTOk:  (71  tlie 
use  of  virus  and  spyware  protection  software:  and  (3)  how  oflen  Uie 
security  c^ialiilitiea  of  mslalled  software  are  to  be  updated  (for 
emi^le.  opeiatliie  Eg«t«m  and  other  software  secunly  palcties, 
virus  definitions,  lliewall  veislon  updates,  spyware  definitions).  For 
guidance  on  protection  of  remote  information  ref^  to 
OUB  M-Oe-lG"*. 


er  reestablishes  access  usmg  appropna 


substitute  for  Inggmg  out  of  die  iiifoimation  system.  When 
cotuiectlvlty  Is  not  continual,  netwoik  connections  EdKiuld 
auhanatiCBUy  disconnect  at  the  end  of  a  session.  0MB 
Memorandum  M-(I6-16  requires  Hiat  all  federal  agencies  use  a  "dme- 
out  function  for  lemote  access  and  mobile  devices  legililng  user 
■authentication  alter  30  minutes  InactMly. 

In  addition  to  technical  controls,  ftie  initial  screen  viewed  by  an 
mdividual  accessing  an  enti^s  systems  throogh  a 
telecomuiuiucations  network  should  provide  a  warning  banner  to 


mformaUon  svstem  should  also  display  the  entity  s  privacy  policy 
before  granting  access.  Also,  the  warning  screen  generally  should 
refer  to  18  U.S.C.  1080,  which  provides  criminal  penalties  tor 
mtentional  unauthorized  access.  Previous  logon  notificatHHk  is 
another  control  that  can  identi^  unauthorized  access.  The 


infrumatkai  system  notifies  the  user  on  successful  logfm,  of  the  date 
and  dme  of  the     logon,  the  locsUon  of  Che  last  logon,  and  the 
number  of  unsuccEsafUl  log«k  Bttenqita  since  the  last  successful 


AC-1  Related  NlgT  SP8I)^^^  Controla 

AC-4  InfOmiatlon  Flow  Enforcement 

AC-S  SyslsnuseNolificalksi 

AC-g  Previous  Logon  Notificalion 

AC-11  SesslcnLock 

AC-12  Ses^onTennlnatlcn 

AC-17  Remote  Access 

AC-18  WrelesB  Access  Reslnclirais 

AC-19  Access  Control  tor  Portable  and  Mobile  Devices 

CA-3    lnfomiatl<ni  System  Connections 

SC-T    Boundary  FroteclKHi 

3C-10  NetmirkPiBconnect  


Comrol  Techniques  and  Suggested  Audit  Procedures  fbr  Critical  Elemenl  AC-1 


entification  and  authen 


imiiSKirrr  nroni'r  !tC]'.i>yjii.iiiii  oi  iiitui'N.  iiiir  niiiiv  Kiiiiuiii  miiiiii' 
aiT(iiiiii»  Hiu]  nnnrnve  an  sum  i«nii»iifi,  me  eiii.iiv  rikiiiiii  aisti 


^diical];  auChome  and  mnuior  tr 
accounts  and  leroove,  disable,  ot  otherwise  secuie  unnecessai; 
accouDlB.  FinaHv.  the  entuv  anoiiid  ensure  ibat  accomiL  luan^eFB 
are  noUfled  when  Inibtmation  ^fitem  useis  are  cennlnated  or 
translened  and  assoclaied  accounts  are  removed,  disabled,  or 


AC-2. 1.  Users  aie  appn^iriab 


the  computer.  However,  the  confldentiality  of  user  IDs  is  typically 
not  protected.  For  this  reason,  other  nteans  oi  autnetitk^^lng 
oseis— that  Is,  detenolnlng  whether  IndlvMicds  aie  nito  tnev  say 
iiHFV  an?  ]in?  i.voic^iuiv  irniM(!iiiifriuFij  llu^lfX]lrrllM(^  [uiNKWcinis. 
security  tokens,  etc.K  te  addition,  the  Intonnation  system  snouM 
Imlt  the  number  of  concunent  sesdons  tor  any  user.  NISr  800- 
63  pnmdes  oddilicHial  guidance  fflkouttienbcBJion." 

An  eiii.LLb  rruib  mum  iirriiii^M  UHtTiii^i.iviiv  wii.nuiii,  KiiFniiiKiiii.Kiri  and 
authentication  for  publicly  available  infoimatlon  ^stems  and  Web 
^tes.  However,  tor  actl<ais  without  idendflcaUon  and 
authenticatiDn,  maiiHgenieiit  should  consider  the  risk  and  only  allow 
SDch  actions  to  the  extent  necessary  to  accoropUsh  rolsslon 
objectives. 

"Hie  most  widely  used  means  oi  auinentlcatlon  is  ttirough  me  use  of 
passwords.  However,  passwords  are  not  conclusive  ideniinerE  of 
^Qfic  individuals  since  inev  may  be  guessed,  copied,  overheard, 


or  recorded  and  idayed  back.  l^fiHcal  controls  forprotectme  the 
contldentialltj'  of  passwords  Include  the  foUowtng: 


sulyect  ta  disclosuie. 

Passwords  are  changed  penodiially,  about  every  30  to  90  d^. 
Uie  more  senaithre  the  data  or  the  futKUon,  the  more  freqaently 

passwords  should  be  changed 


passwords  so  that  they  c^mot  be  easily  guessed. 

•  Use  of  old  passwords  (for  example,  nlMn  stx  generatltms)  is 
prohibiled 

•  Vendor-supphed  passwords  such  as  SI^TEU,  DEFAULT,  USES, 
DEHO,  and  TEST,  are  replaced  unmedialely  on  unplementation 
ofanew^istem. 

To  help  ensure  that  passwords  cannot  be  jessed,  attempts  to  lofton 


passwords  into  a  tonn  readable  only  by  using  the  appropriate  key, 
iMiu  uiuy  uy  authorized  parlies.  Access  to  this  file  should  he 
lesOlcted  to  only  a  few  people;  enciyptlon  further  reduces  the  risk 


that  passwords  could  be  accessed  and  read  ta  unauChonzed 
Individuals,  Passwords  nsnsmtO^CI  on  fhe  network      likewise  be 
enacted  to  prevent  dtsclosurSr  CrvDlc^raphic  controls  ^ul  related 
audit  procedures  are  covered  in  section  AC4.3. 

In  addition  to  passwords,  identification  deMces  such  as  ID  cards, 
access  cards,  totens.  and  kevs  mav  lieuspri.  Kaanis  affectli^  the 
effectiveness  ot  such  devices  iiicliidc  1 1 )  ihe  lieoiieiicvtlial 


identiBcaliou  Qi'' h '  ^  anil  s  i   ■  i' i-- "i  siilIi  devices 

mmiedlatelv-  Proi-canrc^.MniiKl  m-.  unriiinii.'il  lo  handle  lost 

or  COmiBOTUSPd  las.sword'i,  .icic^i.  (  Jlnl.'i,  or  mkPrL'i.  0MB 
Memorandum  M-Ob-IG  requires  that  tedeial  aeencies  ahow  remote 
access  to  peisonally  identiflable  inlonnalion  and  other  sensitive 
Intoimation  only  with  twi>-&ictor  authenUcatian  where  one  of  the 

acccs5.Alsosci?.^C-1.2.  " 

^iiKiiinir  I II  ■■!   ■,.  i-LrvingotreeogiH£mg(rLeideiitiwofa 

ppr.^uji  jj.Ls^'il  uji  fiii'MuRfcical  or  behaviorai  charactenstjcs. 
Bioniotiit  s  dciitcs  iiicludL-  fingerprints,  retina  patterns,  hand 
geometiy.  speech  paUetns.  and  keystroke  dynamics.  Tests  of 
biometric  teclmiques  Include  reviewii^  the  devices,  observing  the 
operations,  and  takmg  irtiatever  other  st^  mat  be  necessary  to 
evaluate  tbelr  effectiveness,  Includtng  obtidnliw  tbe  as^stance  of  a 
q>eda1ist 

To  further  increase  security,  identification  and  auBientication  may 
be  accomplished  usmg  any  combination  of  multiple  mechanisms 
such  as  a  taken  ID  in  coiyunctlon  with  a  number,  or  a  blomeltlc 

identification).  Management  should  in:5>lemenf  effective  procedures 
10  determine  compliance  with  authentication  pohcies.  Whatever 
teclmique  is  used,  the  implementation  cost  veisus  the  nsk  and 
potential  loss  to  the  entity^s  operaQons  from  a  breach  m  secuntv 
should  be  taken  int^  consideration. 


Electronic  s^natiuss  such  as  digiCal  signatures  and  public  key 
Infnistnictuie  (PKI)  are  ueed  to  Identify  the  sender  of  InforntaMon 
and  enBure  the  ml^ntv  of  critical  information  received  from  the 
sender.  Several  technologies '111  el  I  :is|ii'r.r>ii;il  KiciinriciiiiDii 
innnbeis,sinaitcards,bioiii!'iii'  ~    i  ilu  r  I  -  ^' '  mi  n 
enciyptedsel  of  bitsthat  kU'iiI  I '  li<'  '-  i:<  ji  I'l  ii-<  i:  'i'i<'j<' 

electrtsilc signatures. The nioM  .   li  i  n  .-.i,  -.i-immit  r.  ir 

today  Is  the  digital  signature,  wiin'ii  buiiiijiir  m  I'l^rii  m.ij'.iiiiiMiiin 
to  each  messB^  Digital  signatures  sre  used  in  coi^iunction  ^ilh 
certificate  authorities  and  other  FKI  enciyptlon  h^nlwyre.  ■nitlKai 
pohciea,  and  people  to  verify  thai  the  mdividiials  on  each  end  of  a 

nothing  in  the  mess:^  has  been  changed,  A  digital  certificate  or 
glared  secret  niay  also  be  used  to  authenticaie  the  identi^  of  a 
device  or  devices  involved  in  ^stem  comnnmications,  as  <^iposed 
to  the  useis.  Also,  see  NIST  ^  SOIKQ",  0MB  Memorandum  M-04- 
04",  and  the  Federal  Bridge  Certification  Aiilhori^  for  further 


In  accordance  with  0MB  pohcy,  authentication  of  public  uaera 
accessing  federal  infoimation  systems  may  also  be  required  t^j 
protect  nonpublic  or  privacy-related  mformatlon.  0MB 
Memorandum  04^04  requires  ^encies  to  conduct  e-authenticatitm 
risk  assesanents  of  e-govemntent  systems.  These  assesanents  will 
meiisuie  the  lelative  sevetlQ'  otthe  potential  harm  and  likelihood  of 
occurrence  of  a  wide  rai^  of  impacts  associated  witti  the  e- 
govemiitent  system  in  the  event  of  a  congiromiae  in  identity 


AC-2  Related  MOT  SP8I)^^^  CQHtrola 
AC-T  Unsuccessful  Login  Attempts 
AC-10  ConcunentSes^  Control 
AC-14    Femutled  Actioiia  Without  IdenlnGcatiDn  or 

Autherticalion 
AU-10  Non-Bepudlatlon 
lA-2       User  IdentSGcalksi  and  Authentication 
IA-3       Device  Identification  and  Authentication 
lA-i  IdentiflecMaiKBement 
IA-5      AuthentlcatoT  Muii^einent 
lA-6      Authenticator  Feedback 
SC-IT     PubUc  Key  hi&asliuctuie  Ceiiific^es 
SO20     Secure  Name/Address  Hesolulion  Service  (Anlhorilalive 

Source] 

SC-21     Secure  Name/AddreBB  Resolution  Service  (RecurGire  or 

Caching  Resolver) 
S022     Architecture  and  Proviraoning  tor  Names/Address 

Besoludon  Service 
SC-33     Session  Authenticity  


Cmtiol  Techniques  and  Suggested  Aodit  Procedures  tor  Critical  Element  AC-2 


operating  systems  have  some  bu 

user  rights  and  pilvlleges,  gxiOBB  of  useis.  andpemilsslons  fen 
and  foMeiB.  Network  devicea.  such  as  rooters,  mav  have  access 
connolUste  that  can  be  used  to  authoilze  useis  who  can  access  and 
peifOim  cett^  actions  on  the  device.  Access  dghts  and  phvlk^ 
are  used  to  mqilaneiit  secunir  pohcies  tliat  determme  what  a  user 
can  do  after  being  ailowed  uiro  the  svstera. 


oeniiissions.  ana  privileges  te  one  of  tlie 


)priatclv  contmUed 
in  order  to  adeiiuately  contiol  user  accounts,  an  enti^  sliould 
institute  polides  and  procedures  fOr  auiltoilEliig  It^csl  access  to 
mformabon  rEsources  and  docnment  sudk  authorsations.  Ttiese 
pohcies  and  procedures  sliould  cover  user  access  needed  fbr  rouInK 
operations,  emeisencv  access,  and  flte  sharing  and  dispoEdtion  of 
data  with  individuals  or  groops  outside  the  enti^.  Furlher.  logical 
access  controls  dtould  enforce  segregation  of  duties. 

Hie  corrgiuter  resoorce  owner  should  iderh^  the  suecific  user  or 
class  ot  users  autboiized  to  obtidn  direct  access  to  each  resource  foi 
irtuch  they  are  re^Mnsible.  Acceaa  should  be  limited  to  individuals 
with  a  vahd  business  purpose  Qeast  privilege).  Unnecessaiy 
accounts  (de&ult,  guest  accounts)  snouM  be  removed,  disabled,  or 


olheiwise  secured,  niis  process  can  be  sinqiliBed  developing 
standard  prollles,  which  describe  access  needs  tor  groups  of  usera 
-with  Hnmlar  duCies,  such  as  accoimis  payable  clerks. 


>wner  anould  also  idenuf  v  i 
resource  that  is  available  i 
*  profile.  In  general,  iisf  i 


*  merge  access — the  abilnv  to  combme  datafmmtwo  separate 

«  execute  access — the  ability  to  execute  a  software  prograni 

Access  may  be  pemutted  at  Ihe  Gle.  record,  or  field  leveL  FUes  are 
ccmposed  of  recoids,  typically  one  for  each  item  or  transacbon. 
Individual  records  aie  conv>osed  of  llelds  that  contain  ^dllc  data 


«ne  o 

es         nz  •!  I    i  access 

nushmidhng.  alterations,  and  imsundetstandmES. 

Security  managera  should  review  access  authorizations  tor  new  or 
modified  access  pnvdeges  end  discuss  any  quesDOflable 
authorizations  with  the  resomce  owneis  (authorizing  otSdals}. 

^iproied  authonialions  should  be  mamtained  on  iile.  Comphance 
with  access  authonzaOons  snoold  be  monitored  bv  perloditaliy 


cdnpatliigauthonzatiDns  to  actual  accesE  achw.  Access  conuol 
softwiire  QidctiUy  provides  a  means  of  reporting  user  access 
authorizations  and  access  activity.  All  chaises  to  secunty  access 
anthonsitions  should  tie  automaticallv  logged  and  periodically 

revipwetlbv  iii:iii:igp[iieiii  independent  of  the  Security  function. 

Uniisujil  Jiccmlv  should  then  be  mvestigated. 


file,  and  the  use  of  highly  sensitive  files  or  access  privileges  should 
be  roiitinpiv  revipweri  by  management.  Special  access  privileges, 
access  to  sensitive  files,  and  related  audit  procedures  are  covered  m 
section  AC4.1, 


For  systems  tiiat  can  he  accessed  Ihnni^  public 
(eleconununitaUons  lines,  some  users  niay  be  granted  dlal-ig> 
access.  This  means  that  these  individuals  can  use  a  modem  to 
access  and  use  the  system  from  a  remote  location,  such  as  then 
home  or  a  field  office.  Because  such  access  can  stgnificantly 
increase  the  risk  of  unauthorized  access,  it  should  be  limited  and  the 
associated  nsks  weighed  against  the  benefits.  To  help  manage  the 
risk  of  dial-up  access,  justification  for  such  access  should  be 
documented  and  approved  by  owners.  (See  section  AC-1  for 
controls  to  he^  manage  the  nsks  of  dial-iq)  access,  such  as  dial- 
bacb  procedures  to  preaulhodzed  phone  numbers  or  the  nse  of 
security  modaiis,  tokens,  or  smart  cards  to  aulhenlieate  a  vaHd 


Inactive  accounts  and  accounts  for  tciminated  individuals  should  be 
disabled  or  removed  In  a  timely  manner.  It  Is  In^iortant  to  notify  Sie 
security  function  iinniediately  when  an  empkiyee  is  terminated  or, 
for  some  other  reason,  is  no  longer  authorized  access  to  infomiation 


Nobiicabon  may  be  provided  by  the  human  tesoucces  depaitment  or 
by  otheis,  but  policies  should  exist  that  cleaily  assign  lesponslblllly 
for  such  notiGcalioiL  Temiinated  empk^ees  v^o  continue  to  have 
access  to  ciiUcal  orsen^Ove  resources  pose  a  m£|]or  threat,  as  do 
Individuals  who  may  have  left  under  acrimonious  circumstances. 


Owners  should  deterodne  disposition  and  sharing  of  data.  A 

mechanism  should  be  estabiisiied  so  that  the  owners  of  data  tiles 


Required  access  to  stiared  tile  svstems  should  be  rcstnctcd  to  the 

the  level  ol  access  reqmredl.  Many  scientific  agencies,  usefde 
shaniLg  networks,  Elle  sharing  Militates  connections  l}«tweFn 
peisons  wno  are  loOKing  lot  cenain  types  oi  mes.  a  type  oi  me 
sharing  loiown  as  peer-to-peer  (P2P|  reteis  to  any  software  or 

lo  each  other  and  trade  files.  While  there  are  many  appropriate  uses 
of  this  tedinology,  several  studies  show  that  the  vast  m^dty  of 
£les  traded  on  F2P  networks  are  copyrighted  music  files  and 
pontogi:^^.  Data  alw  suggest  that  FZP  is  a  common  avenue  (Or 
the  qireaiJ  of  conqwter  viruses  wlttiin  IT  ssBtems- As  requireiJ  by 
FISMA,  agencies  are  to  use  NISI  standards  and  guidance  to 
complele  ^"stem  risk  and  impact  assessments  in  develoiSng  security 
plans  and  aiithori™^  systons  fbr  operation.  Operational  controls 
detailing  procedures  for  handling  and  distributmg  information  and 
management  controls  outlining  nJes  of  behavior  for  users  should 


m  place  lo  pi«veiil  and  de 


I.  i4'iriiH>mn' 
luthorized 


AC-3.3,  Processes  and  secvtces  ai 


inioniiaijori  svsiifiils  jiihi  uii'v  HnoiiiM  iw  iirrnii'M 
to  eitectively  peifomi  an  entiCy's  mission  and  bu 
an  Intotmadon  system,  processes  are  systematic 
□peraliona  m  produce  a  specified  resiilL  Hiis  ini 
perfomiea  within  a  computer  such  as  ed 
summarizmg.  caiegonzmg,  and  ^jdating.  Services  reierco 
cusiomer  or  Droauci-reiaied  busmefis  fUnctioiis  EDchasfile 
iranarer  Drowcoi  ( FTf),  hvpettcH  transfer  protocol  (HTTPl.  and 
raamirame  auuerviaor  calls.  Each  ^stem  provides  a  set  oi  services. 
For  example,  a  compuier  networK  allows  lis  users  lo  send  pacKets 
10  spedOed  desilnations:  a  database  system  re^ionds  lo  qiueile^ 
and  appocessorperfairosanumberoi  different  instructions, 
controls  related  lo  processes  and  services  inchide  all  w  Lne 
lechnolo^cal  and  managedal  safeguards  established  and  Egipuedco 


an  uifOmiation  system  to  protect hanlware,  soltwaie,  and  data  &om 
accidental  or  malicious  modification,  destmction,  or  disclosure. 


When  evaluaCbig  an 


should  tie  nunmuzed, 

( of  iirooesses  and  semees  shi 
bv  management  and 


critical  to  ensurmg  ttie  con£dentjahty,  mtegnty,  and  availabdity  ot 
lEer  data  and,  ultunately,  the  accomplishment  of  an 
Access  control  policies  and  enfoicement  mechanist 
by  entitieB  to  control  access  between  users  (orproc 
behalf  of  users;)  and  olgects  (for  exBn^le,  st  _ 
leconls,  fields,  processes,  progiams)  in  the  InfOimatlon  system, 
AccefiB  control  pohciES  can  be  identit^lrased,  role-based,  or  rule- 
lists,  access  control  matdces,  and  ctyptt^i^hy,  Wltere  enciyptlon 
of  stored  mfomianon  is  used  as  an  access  aifbrcement  mechanisn^ 
the  cryptogrjq>hv  used  should  be  m  compliance  mth  applicable 


uuportaiit  lo  mauitain  current  service  veisiona,  Accordu^  to  N 
guidance,  the  mfonnation  system  ^ould  be  penodiCBlly  revien 
identic  and  eUminate  uimecessaiy  services  (fOr  example,  FTP, 


HTTP,  mainframe  supervisor  calls)  and  protocols  that  would 
Introduce  an  unacceptable  level  of  risk  should  be  disabled"  Hie 
infonuBlitm  system  that  supports  the  server  funcdonality  should  be^ 
as  much  as  possible,  dedicated  to  that  purpose.  In  addition,  the 
tunciion  and  purpose  of  processes  aiid  senices  sliould  be 
documented  and  approved  by  appropriate  entity  oMcials. 

Acmnling  to  HIST  SP  80(^63,  addilloual  process  Emd  service 
controls  should  be  implemented  to 

mechanisms  (e.g.  video  and  audio  devices), 

•  ensure  that  lower  piioriQ  process  do  not  interfere  viith 
hi^ier  prioiity  processes,  and 

•  ensure  proprietary  infonnaUon  and  ^liFStims  is  protected 
ftora  processes  and  systems  avEdlable  to  the  public 


AC-3  Access  Enforcement 

AC-6  Least  Privilege 

CM-T  Least  Functioncdif 

SC*  Resource  Priority 

SC-14  PubHc  Access  Plotectjavs 

SC-16  CoUaboiatlve  Compntiiw 


Ccaittol  Teduiiiiuea  and  Suggested  AndiC  Procedures  for  CifQcal  Element  AC-3 


Critical  Element  AC-4.  Adeauatelv  protect  sensitive  system  resources 

CetKUn  system  tpsoiirces  arp  more  .sensitive  tnan 
cooiproinisea.  senons  spnirir^'  lupacnes  coiiki  oc 


acx:e8s(oc^)BbiLlJES  that  would  aiiow  liini  or  tier  (o  I 
leatures  Ioun<l  m  either  operating  svstetn  secunlv  soft 
access  controls  btUll  into  application  software.  The  in 
then  he  able  (o  read,  modi^^  or  destroy  qif^cation  pr 


electnxtlc  auifit  tndi  of  his  or  her  activities.  In  addition,  inadequate 
media  controls  can  result  in  a  loss  of  cxHifidentialily  of  seosilive 
data,  Furtlier,  ciyptogiaptiic  contids  may  tie  needed  to  protect 
sen^ttve  Infomuitlon  where  it  Is  not  otherwise  possible  or  practical 
to  adequately  restrict  access  through  either  phy^cal  or  logical 


Til 


B  r  I    [J    il         t  Epnsalofthoaewho 

shauld  be  adequately  coDtroUed  and  moiiitDted  to  identic  any 
in^propiiate  or  unusual  behavioFr  Such  behavior  may  indicate 
unaulhori2ed  access  ot  an  Individual  who  is  tmproperiy  eKplotdng 
access  privileges.  For  exan^le,  greater  than  normal  use  of  system 
software  or  use  al  odd  hours  m^  indicate  that  an  individual  is  using 
ttie  sofCwwe  to  search  fOi  ostein  weaknesses  to  eqiloit  or  to  miike 
aruuilhorfaed  changes  to  syStau  or  appliiatkm  software  or  data.  For 
monitoring  to  be  effiKtive  in  both  detecting  and  detening 
in^jpcopriate  use,  peistsmel  authorized  to  use  system  software 
diouliJ  understand  wbich  uses  are  ^propriate  and  iriuch  are  not 
and  al30  that  their activitiea  maybe  mmitored.  Such  poGcies  fdiould 
be  documented  and  distributed  to  all  peisonneL 

Policies  and  techniiiues  should  be  lu^ilemenled  for  vsiias  and 
monitoring  the  use  of  ^stem  tools  and  utilities.  Some  ^stem 
nljUties  aie  used  to  periorm  system  maintenance  routines  tliat  are 


freguently  requited  dumignomial  procesdng  opetataons.  Other 
utilities  :dd  the  develoianent  and  documentation  of  applications 
^isteins.  These  uuluiiest^anaidmdividualstdio  haTefrauduIein;  or 
malicioie  intentions  in  undeisUnding  how  the  programs  or  data  in 
an  aniiiif  atioii  svKiem  onerate  and  In  how  to  make  unauthoilzed 


appbcaiion  sysienis. 
■  Data  manipulation  utilities,  data  comparisan  utiUties,  and  quE 

ijiriiii.ii?;  iMii  Ml'  tiwAi  141  jirc'osH  jiiui  vii'w  iriiii.  wiiii  niiiniiiiiiiu 

iiiiiiiii.'.'j  imi.'  aiiDwnui  niiui  n\r.iiiiiK'>ii,i"ii. 
I  Onluie  debugging  lacdities  pemur  online  clianges  lo  progtank 

obiect  code  leaving  no  audit  trail  and  can  activate  programs  a 

selected  9t^  points, 
I  Ubrarycopierscancopysoiircecodefromahbmiylnlaa 

proBram,  text  and  online  editors  pernilt  modlflcalion  of  progi 


feature  that  provides  for  logging  and  reporting  of  its  use.  Such 
lepons  should  identUy  when  and  torwhom  the  softw!a«  was  used.  It 
is  hxQiortant  that  this  software  operation  work  ptc^^^  and  that  the 
reports  are  reviewed  on  a  regular  basis. 

ll>e  availability  of  standard  usage  data  may  assist  the  s^tems 
manager  in  identi^ing  unusual  activi^.  Some  systems  can  t>e 
designed  to  compare  standard  usage  data  with  actual  use  and  report 
significant  variances,  thus  making  it  easier  for  the  system  manager 
to  id«kti^  unusual  activity.  When  questionable  activity  is  identified. 
It  should  be  Investigated  It  Impic^r  actlvlQr  is  detemilned  to  have 
occurred,  in  accordance  with  security  violation  policies,  the 


mciaenu  s)  snouid  be  documented,  appropmie  dlSc^^llIlaIy  action 
taken,  and,  when  appiophate,  hl^Mevet  managenieni  notitled. 
pun.niT.  ifi(>  iHhssiEMiii.w  til  Miirriijuii  firjiiLoraiiiin  ui  luf  Kvsu^m 
soStmnK,  aopUcation  soSwaie.  and  reiaied  data  luea  should  oe 
mvesOgated  and  corrective  action  taken  If  needed.  Sach  action 
Bhouid  mchide  noticing  uie  resource  owner  oi  me  vnmuon. 

in  iiudiiiioii  io(^nnin>iiiru!  ivi^iv^s  ui  aiihiiivi'  svHuini  n'Sdun'jis.  ii.  is 
also  m^rtam;  to  control  anumber  or  otmerBcDviQes.  First,  detaun; 
peimlsslons  and  il^is  to  system  software  and  network  aevices 
should  be  changed  uunng  inslBllaGiorL  aeconu.  system  uoranes 
^louid  be  ^ropilat«lf  controlled,  for  examine,  ine  migration  oi 
system  software  from  the  tesimeenvimniiipni  mine  nrmunidn 
.iriiiv  EKMH'nornii',  I.  'iih'i  'iiii  <i<       i  <^  .in  rinh  ni'iiii'iii 
OlgrOUD.OuIlWli'il  iri-ii.ii--  1)1  M--.-!  -.i.lln.ii.- sill  .nil] 


Mobile  code  refcas  to  pmgraras  (for  example,  script,  macro,  or  other 
portable  mstnictionj  that  can  be  shipped  unchanged  to  a 
}>eterogeneoits  collection  of  platforms  and  executed  with  identicBl 
semantics.  Being  able  to  download  files  and  eleclionic  documents 
oS  the  Inteinet  is  a  useful  ftmction  and  a  common  practice  today. 
Web  pages  serve  as  an  electronic  counterpart  to  paper  docuraenl* 
Itowever,  unlike  p^er  documenis,  Web  pages  can  entail  active 
content  that  is  capable  of  delivering  digitally  encoded  multimedia 


Hie  populanty  of  the  Wodd  Wide  Web  haE  Gpun^  the  trend  tmvaid 
active  ccmCent  A  dynamic  weather  m^.  asiock  tkket.  and  Uve 

are  conntrai  exan^ilea  of  the  u^e  of  thi;  tecrhnoiogy.  uke  any 
technology,  active  content  can  urovmp  aiisenu  lairaroiiiv.  nut  can 
afeo  become  a  source  of  vulneiabiiiiv  loi  an  aiiacKerio  exploit. 

Mobile  code  contiolB  should  include  resistiatioii,  approval,  and 


iiiiicivi'ci  snoii[(i  IH' 

arising  official. 


l'0[rMILIi;LMOILS  Ol  ITH'S*'  mi'llllHIS.  (11  dllHT'  IIII^IIIOCIS  Jl^  aiM]l4ll>IIJIIP. 

seconoiv,  ii  is  aesiiabie  for  the  uuoniiauon  svsiem  to  isolate 
seeuntv  functions  Aoni  nonsecunCv  functions  bv  means  of 
partitions,  domains,  etc,  mdudmg  control  of  access  to  and  integnty 
of  the  hardware,  software,  and  firmware  that  peifoint  those  security 
functions.  The  imomiation  svstem  maint^ns  a  separate  enecution 
domam  ifor  example,  address  space  i  ror  each  cxccuimg  process. 
TliiKllv.  []H'inliji!iiillLOn^',=,IHii  slujLi]tI,'=,l.'iWi^]iilliiistpd 


AC4.2.  AdeiiuHte  media  cdntrolB  have  been  mqiiemeiiied 

Media  controls  ^uid  be  implemented  to  control  unaulhonied 
phvsicai  access  lo  diAicai  and  ptmied  media  lemowd  from  me 
mformaiion  svsiem  ana  during  pick  iq\  transport,  and  delivery  to 
aiithonifo  iisi'ii  \Lpiii^i  should  also  be  prc{«iiy  labeled  to  idendt 
lis  ^piLsiEi^iiv  ann  riLstiii>uiion  limitations.  Finally-  all  aensitipe 


tieuia  conirulif  msu  auuiv  w  oortauiL?  anu  mouiie  computing  and 
rtBnmumcations  ileviceB  vnthmfonnabon  storage  c^)abdity  (e^, 
loiebook  corr^mteis,  peiBonal  digital  assistants,  cellular 


have  adeauate  controls  in  place  over  such  oonabie  media.  UMB 
Memorandum  MOB-ie  recommends  federal  agencies  encrypt  all 
data  ofl  mobile  conqniters'ilevices  ^4uch  carry  agen<7  data  unless 


the  data  is  detemuned  to  be  non-sensitive,  in  writing,  by  tlie 
agency's  Depuly  Secielai;  or  an  individual  Ihey  may  deEngnate  in 

In  addition,  as  part  of  the  nsk  assessment  process,  enubes  ehouia 
Identity  bifoiniatlDn  that  Is  sensitive,  including  peisonoUv 
identifiable  infarmahonr  Enbiies  should  implemem:  controls  m 


Similiirly,  iiifoiiviation  in  sioraac,  in  proccs-..  and  M,i(i>iini>isir.n 
d      ppp-K  kbriFth 

BBSociates  witn  intomiatjonprovioea  to  tne  system  aie  consistent 
inlh  the  infbimation  that  the  user  is  allowed  to  access.  It  is 
in^itant  Siat  security  paiameteis  arc  eixjiangedbetveensysteriis 
to  auttienHcate  services  requested  by  another  system.  Securi^ 
parameters  include,  fbr  eiample,  security  labels  and  markings, 
Secuilly  parameters  may  be  eirlloitly  or  inqilicitly  associated  with 
the  information  contained  within  the  inforniBliDa  ^^slem. 

TTie  emits  should  have  polides  and  procedures  in  place  to  remove 
sensitive  information"  and  software  from  ctarQiuters,  disks,  and 
other  equipment  or  media  when  Uiey  are  disposed  of  of  transferred 
to  another  use.  Further,  approved  equ^ment  and  techniques  dioukj 


be  used  and  periodically  tested  to  ensure  conect  perfonnance.  If 
senslClve  Infoimatlon  Is  not  tullr  cleared,  it  msv  be  recovered  and 
m^propnately  used  or  disclosed  bv  mdrndusds  who  nave  access  lo 
the  discarded  or  traiefeireii  (imiDiiinii  jinn  iiiriiui  i  iii' 


tools  can  t>e  used  to  identic  and  auuienociue  i& 


both  iriule  these  d9lB  and  progTBinB  are      the  coitqmter  s' 
and  trhlle  Siev  are  being  banslnltted  to  another  coroputer  system  or 
scored  on  removable  media. 

As  discussed  In  nPS  Pub  140.2.  ci]pt(%i^ihlc-based  secutlQr 
systems  maybe  utdized  in  various  coit^niter  and  telecommiiiucatiDn 
^hcations  (e.g..  datastorage,  access  control  and  persraial 
tdeiiiificaUon.  network  communlcailons.  radio,  facsimile,  and  video) 
and  mvanous  environmenis  (e.g..  centralized  conqiucer&cilitiee. 
office  environments,  and  hostuc  environraentfi>  The  cryptogr^lhic 
services  le.g..  encjvpimii,  aiiineniicanon.  distal  signature,  and  key 

man  f  ac  o  p 


the  module  will  oe  uiiiizea  anfi  me  sei^uiiiv  ^ei-vii'es  li 
win  provide.  The  secuntv  reqiuremeius  lor  a  panicuia 
level  include  both  the  secun^  requirements  specific  t< 


and  these 
the  level 


I  that  xp0s  to  all  modules  regaidless  of 


Crjptogi^ihy  Involves  the  use  of  algodthms  (mathematical 
fonnuloe)  and  combinabona  ofk^islHlrnigsof  bilG)to  doaoy  oroll 
itf  the  fOUnnuig: 

•  enccviit.  or  dectronitallv  scrainble  a  message  orfile  so  that  it  B 

■!■■(       iI  1 1  LI  I-  jv  ■■[■IJ-.  I  111  1  .in  1 1  iic  ol  the  raessi^  Or  file 


Cijiilographie  tools  are  especially  valuable  for  any  apphcation  that 
involves  "paperiess  transactions  or  tor  which  the  users  want  to 
avml  r«lymg  on  pajper  documents  to  substantiate  data  integrity  and 
validity.  Examples  Include 

•  electronic  commerce,  where  purchase  oideis,  receiving  reports, 
and  invoices  are  created,  proved,  and  transmitted 
electronically: 

•  travel  admmistrahan,  where  travel  orders  and  travel  vouchers 


Cryptogr^hic  tools  mav  be  linked  to  an  individual  apphcation  or 
m^lemented  so  that  they  can  be  used  to  sign  or  encrypt  data 
associated  vMi  multiple  appllcatimts.  For  ^cample,  the  peisonal 
canputers  connected  to  alocsl  area  networkmayeadk  be  fitted 
with  hardware  and^r  software  that  identifies  and  autbenbcates 
oseis  and  allows  them  to  enct^pt,  ^gn,  and  authenticate  the 
messages  ana  files  inat  mey  seou  or  receive,  regartuess  oi  me 
qifihcation  that  they  are  usuig 


Then  are  anumber  of  technical  issues  to  conEddet  conceming 
ctyptagr^ihy.  Some  of  the  key  consldetatkms  are  Usted  here 


(he  ti^logmphic  module,  and  is  this  path  prolecled? 
I  How  atron^  or  complex,  is  the  algorithm  used  tt>  encrypt  and 
agndata? 

■  How  are  fcas  manned  and  diaCributedr 
.  Docs  ihc  cntitvs  use  oi  crvptoKmphic  tools  conqily  with  r^aled 
rl  ards  issued  by  NlSr> 

•  I      II  '  II 'I'  II"'.' II I  "  ;ii.:^i.ii't'ii' urhmquesthatare^iini^iilate 


cools  and  determines  that 


contiok.  thev  snould  obt^  ttte  iru 
frcm  0MB.  NIST.  and  GAD.  at 
audiior  experienced  ui  assesstng  cr 

AC-1  Related  NIST  SP  8tl&53  Controls  ~ 


Application  I^rtitioning 
SecinHy  Function  Isolation 
inrormation  Remnance 


Transmission  Confidentially 
Trusted  Path 

CiypKwraphic  Key  EslablldmTeni  and  Manaaement 


Critical  Element  AC-5,  Implement  an  effective  audit  and  momtoni^  CE^iabiMy 

Audit  and  momtonng  involves  the  regular  coDectuin,  renew,  and 
analysts  of  audilable  events  tor  mdtcatlons  of  imsipropiiate  or 
unusual  acOvkv.  and  ms  appropriate  Investigation  and  reporOi^  of 
such  activity.  Automaled  mechanisms  may  be  used  lo  integrate 
audit  monitonng.  anaLvsis.  and  reporting  mto  an  overall  process  fcx 
investigation  and  response  to  suspicious  achvtties.  Audit  and 
monitunng  controls  can  help  secunly  professionals  routinely  assess 

computer  foreiisics.  Networic-based  intrusion  detection  systems 
(IDSs)  capture  or  "snifT  and  analyze  network  traffic  m  various  parts 
of  a  network.  Ott  tjie  other  hand,  host-based  IE>Ss  analj^  acttvity  on 
aparticiilarcomputerorhost.  Bothies  of  IDshave  advantages 

In  nil'  -  h.i  1 .1.  II  [cderalagencviinplementanmioiTiimi™! 

III.  hi    :.  I'liiilesproceduresfordeteclinE,  lepniiiiic, 

iiml  iiMii.iiihiii;  h,  -r.  niitv  incidents.  Further.  0MB is  to  ensure  the 
opcuiiioii  oi  ^1  cciitraj  H'Ueralinfomiahtaiseeuntj  incident  tenter  to 

•  piovlde  timely  techidcalasslstance  to  qistem  operators, 

•  ctBrqiile  and  analyze  incident  infbmiation, 

•  infoiinsyslemopeiaUiisaboulthrealsafldviiliierabihties,and 

•  consult  with  NIST.  natli>nal  security  agencies,  and  other 
de^gnated  :%enc)es  such  as  the  Department  of  Homeland 
aecunty. 


mSl  issued  two  relevant  special  publications  that  provide 


•  SP  800-94,  (?Hlife  la  IntnisitrnDetecUmcend  Prevention 
Syjstems  CIDPS).  and 

*  i!^  SOO-'fL  CoiiipLUti  Security IncideDt HondUng  Guide 

SPbOO -SI  (liai-ussf^  fuur  steps  in  incident  handling; 

•  detection  and  analysis, 

•  containment,  eradication,  and  recovery,  and 

An  IDS  detects  inappropriate,  incorrect,  or  anomalous  activi^ 
aimed  at  disrupting  the  confidentiality,  integrity,  oravailabili^of  a 
protected  network  and  Its  computer  systfflns.  An  IDS  collects 
informafion  on  a  network,  anatyzes  the  infiffination  on  the  basis  of  a 
preconfigured  rule  set,  and  t§wn  le^xinds  to  the  fflialysiSr  A 
deselection  of  the  technologies,  their  effectiveness,  and  how  they 
-workisdsscnbediaTecfenotogies  to  Secure  Federal  S^l^as,  GAO- 
04-467  CWashington,  D.C:  March  2004]. 


AC-5,1.  An  ettecOve  Incident  response  pn%min  is  documented  and  ^proved 

An  eBecttve  incident  respoiLse  program  should  lie  implemented. 
Control  techniques  iitclude 

•  documented  pobcies  and  procedures,  includir^  an  inddenl 
respOTse  plan; 

«  documenledtealingof  the  incident  response  jdan; 

•  ameansofpron^cenOalixedieportli^ 


•  protection  gainst  denial  of  service  attacks;  and 


^ipn^inate  incident  lesponse  asastance  and  consioerauon  oi 

yiirL-^sl„,::n^i'  iiiiioii  oonpeniiiig  cramorivHliierabfflties 

iililiL  ,i(s  hii.illi  \|i|ii'[L(lisIlIorOMBCircularA-130diceclHlhe 
T'.ii  r  I.I         I  I.I  iirotnac  aDDroDTiarc  Giuciance  on  pursuing 


'[If  tits  ot  an  Incidenvhandling 
oainiK  damage  fnm  inadeirts 
iiM:r.  iKAflonvioiiR,  tMiiPiiiKni  nii 


•  Improved  threat  data  loruse  in  ine  lisk  assessment  ana  control 
selection  process, 

•  enhanced  ttitemal  cotnmunicatlon  and  oiganlzadonal 
piepaicdness,  and 

•  enhanced  tr^rang  and  awareness  pri^ranis  by  providing  Iraineis 
wkn  better  InfOnnadon  on  us^  knowledge  and  providing  i«al- 
hfe  illuslzationB  tor  classes. 

Abo,  according  to  MIST,  the  characteristics  of  a  good  inddenln 
hiiiidliiijiraimhiiiiyjiiduili' 

•  an  unaeistanaine  oi  ine  constiluencv  oemg  serued.  including 
coiiiiMii^i  Msenfjinu  DRiunun  iii:iri:jLtii:f: 

•  an  educated  consatuencv  that  truss  ineincideniJiandllng  ream) 

•  Bmeana  ot  pronl)t  centrahzed  reporting,  sucn  as  throogh  a 


the  entity's  pubLc  relations  office  (m . 


Onea^ectofuicideiitre^Kiiiselhatcanbe  espeaaUy  problematic 
is  gathertng  tne  evidence  to  paisue  legal  acoon.  Incident  response 

I  un 

(■11  1  I1....I  .  .il.  'A  ■  I,  r   l-i    ■  .11.1.  ..intini^isor 


threat  warning  mtonnatioD.  and  coordmaCing  incident  response 

As  the  iLatJon  s  focal  point  for  preventing,  protecting  against  and 
respondliu;  xo  evbet  secuniv  vidnerabditles.  U!i-CERT  Interacts 
with  all  feaeral  ^encies.  private  industry,  the  research  conimanity. 
state  and  local  govemments.  and  otheis  on  a  :;4XT  basB  to 
dissemtnate  reasoned  and  actionable  cvber  seciulR/  tnlomnatioiu  To 
provide  secnrllj  Infonnatlon  to  tJie  pubBc,  US-CEET 

•  mtegrates  content  contributed  by  numerouE  wganizatums  fnan 
both  the  public  and  private  sectors, 

•  aggregates  and  analyzes  the  various  types  (fdala  provided  bv 
contributn^  or^rdzatHHis. 

•  serves  as  tnetocalpona  lor  promodngcimunon  ana 
comprehenrave  analyaiB  of  secnrily  trends  and  risks,  and 

•  maintains  quality  control  slandanls  and  viorits  to  ensure 


Woildwide,  there  aie  more  than  260  (osanizations  that  use  the  nante 
CERT  or  a  slmUar  nante  and  deal  with  c;ber  secudCy  response.  US- 
CERT  and  tlie  CERT  Ccxirdinatiim  Center  at  Carnegie  MeNon 
UniveisitT  noili  Kilntly  on  cyber  security  activities.  When  a  cvber 
securlrv  problem  wansnis.  ta-CEBT  coordinates  a  ie^>onse  ov 
working  with  computer  secunir  eq>ertB  from  public  and  private 
stale  and  local  Incident  response  leams.  (See  wwrw.n^ 


iciudmg  the  following  0MB  Memoiai 


Hon  (S/22m) 

111  MaitifinbiB 
irim  in  Agency 


0MB  Beportli^  Instractlons  for  the  Fedeial  Inloirnatlon  SecuilCy 
Management  Act  and  Ageiicv  Privacy  Management  generally 
annual  0MB  memoTandums) 

l<  n  IRelalBdDataBrwch 


Monitormn  sermees  Blanlcet 


AC-6.2.  IncideiitB  are  effectiTely  laaitiGed  and  logged 

Entiw  ooiiaes  ana  proceuures  shovua  estaoiish  < 


i-rmi-m  ;lijmii.  i.ruLH.  mm  initoii  LiiiJiMuiiin/i'ci  4ir  MiMisiiiLNJciiviivL 
I    access  lo  audit  logs  dttniid  be  adecpiaieiv  controlled;  ^d 
I  man:%eisd>ouiai«vlewjogsiorunuEMalotsu!4UctousactlvMy 


^nchronlied  systemwide.  aucn  imomuitlon  is  critical  to 
compliance  wMt  securlQr  poHdes  and  when  investigatliw  secunt; 
modenis.  The  setlm^oi  me  access  control  s<tfbware  control  uie 
nature  ana  extent  ot  audit  tr^  mformation  provided.  l^icaDj. 
audli  balls  mar  Incluoe  user  ID.  resource  accessed,  date,  time, 
Lemunel  location,  and  ^wafic  data  modified.  The  ndbrmation 
Qistem  snoolaliave  me  c^iabdi^io  aetennlne  trtiemer  or  not  a 
given  individaal  tooK  a  pamcular  action  inon-repudiationi. 

"Hie  completeness  and  value  trfcne  audit  trails  nKdniained  will  only 
be  as  good  »a  me  entity's  abiuw  to  moroughly  identilS'  me  critical 
processes  and  the  related  infDmiabon  that  may  be  needed. 
Procedures  ror  m^taining  sucn  audit  trails  should  be  bused  on 


•  me  v3vie  or  sensiiivicv  of  data  and  other  lesouices  affected; 

•  me  processing  eiiviroiiment  (or  example.  sisratHiiB  dereiopmeni, 

•  iifrniiKiiuKiiisiiMiii.viiinc] 

•  legal  and  regulalory  reqioremaits. 

Audit  ttalls,  inciuduig  auiomated  logs,  need  lo  be  retained  for  an 
^jiropriate  period  oi  tirne.  Tiiereiore,  me  enOtv  needa  lo  allocate 
snfficient  audK  recora  siorai^e  camcitv  and  confii;ure  auditing  lo 
prevent  the  siordae  taoatiiv  rrom  oeing  esoeeoeu.  The  inioimatlon 
Eastern  should  orovide  a  wamini^  wnen  sioraLre  caoacily  reaches  a 
cerlam  leveL  If  siorage  capaciCv  is  reached,  me  svscem  snoiud  alert 
^itiroprifile  officials  and  take  ^propmte.  predefined  actions  such 
as  saving  tiie  oldest  data  ofOme.  shnttiiig  down  the  svslem. 
overwrTtmg  the  oldest  audit  records,  or  stt^  generating  audit 


AC-S.3.  locidenls  are  properly  Bnaiv/.i'i  i 


[10119  from  [nose  trends; 
andresonrce^ 

!a  access,  such  as  the  ablUQr  to  ovenide 


illy  be  maintained. 


tdentJfied  uspected 

lias  occuiied.  aDpropnaie  acQon  should  be  taken  to  identily  and 
remedv  ine  conOoi  weaknesses  thai  aBawed  the  violatkai  to  occur, 
repair  any  damage  thai  has  been  done,  and  determine  and  discipline 
me  peipetiator.  it  is  important  thttt  an  entity  have  fbimal  mitten 
procedures  for  reporting  security  violations  or  su^cted  violations 
to  a  central  aecunly  management  office  so  that  multiple  related 
mcidents  can  be  identified,  other  empK^rees  can  be  alerted  to 
potential  flireats.  and  ^propriate  invest^ations  can  be  pertomied. 
such  ukCidentB  might  include  multiple  attacks  bv  a  common  hacker 
or  rqteated  infections  with  the  same  computer  vnuR 

Without  piompt  and  aiipruun^te  responses  to  secmi^  incidents, 
cause  dam^  to  an  enti^s 
rs  will  not  be  deterred  from 
y,  which  could  cause 
.  ill  disclosure  of  confidential 


uatun  and  Gnancial  lo: 


An  oiii.iFV  sncMiiM  niivo  iimiiiini'iiiciii  [riiH^i'ciuii's  in  iilace  for 
lespondmg  to  secunit  violations.  These  Should  include  procedures 


■  sharing  incideitl  and  threat  mfoimaiion  with  owners  of 

ctmnected  su^taiis^  and 
•  rioti&niigEUidconEullingwilh.asf4tiiT>priEile,lawenfbrceiiiait 

agencies,  and  for  ledera]  entities,  relevant  agency  IGs  aitd  the  US- 

r         ■  .I-...  -■  irMUKi  hTimidiiesstiouldbemodlfied 


catch  incredsitig^  sophislicaicu 
resources  should  be  penodically  re 


evidence  of  mfonuation  tan:^>enng«  er 


Supervl^on  and  Review— Access  Control 
Contacts  with  SecuiiO^  Groups  and  Associations 
Auditable  Events 
Content  of  Audit  Records 
Audit  Siorage  l";ai)aci(y 
Response  to  Audit  Processing  Failures 
Audit  Monitorir^  Analysis,  and  Reporting 
Audit  Reduction  and  Report  Genetatioii 
Time  Stamps 

Protection  of  Audit  Information 
Audit  Record  Retention 

It  Response  Policy  and  Procedures 

i(  Ki's'ioiiso  Tcstins  and  Exercises 


Critical  Element  AC-6.  Estal 

Adequate  physical  security  controls  sliouJd  be  established  that  are 
iri>riiiikiisuiiiit'  viii.ii  im^  i  ihks  oi  uiivtiuiii  uiitiiiiiH'  i>i'  uii'i'sh.  in 
evaluating  me  enecOveness  oi  physical  secunty  controls,  the 
audiior  ahduid  consider  the  eSectiveneaa  ot  Uie  entity'B  poucieE  and 
practices  pertatidng  to  both  the  overall  tadUiviuul  tu'eas  hou^i^ 
sensitive  mionnation  lecnnoiOHV  ctanponenis.  uonseqiienuv,  an 
I'niiiv  snouiM  limiim'mh'mi.  ikFkvsK"ii  siic'iiriiv  rirhiiotJ  lm  ijh'  iniiikwiMi: 


cniiljiilliiii<;li'imF«  iMIliii  l.-v-ililv  leiiLrv  fteciinl.v). 
ctailioim^  access  wifldn  a  bciuly  linierior  security  i,  and 
protection  from  emerging  physical  security  mreats  i  emergmg 


>  primaiy  con^mrer  fSdlities, 

•  netiroik  devices  such  as  routers  and  firewalls, 


tmumcaaons  equipment  ann 


In  June  1995,  the  Department  of  Justice  (DOJ)  pubhshed  rainiraum- 
seciini.v  suuiiuiniN  ii>r  iiw  i>i<iI4ti.ii>ii  oi  iriiiTiii  liii'iiii.ii-H.  ii. 
Identified  and  evtuuaiea  we  vailous  lyoes  oi  securUv  measures  tnai 
i^iHiKi  IIP  MA^ir  141  i^oiinierEXMA^riiirii  viiinpniiiiiiiK^  i  siiiriiiriniK 


cover  petimeier  secun^.  entiy  secuntv.  intenor  setunO".  and 
security  pfeuming.  Because  oi  me  consiaeraoie  [imerences  among 
facilities  and  Uieir  security  needs,  ijhj'sical  holdinss  are  dirided  int 
five  secnritj  levels  to  deleniiiiic  uliii'li  luiiiiinimi  -.riuKiiirik  :Ln> 
appropriate  fotwhichseriinn  l-.i^K  I  !■!    'lual  nhn  I  liilMiis, 


as 

■  mose  required 


so  uiciude  envlronmentta  controls,  su 


nil  mill  '  1 11  11  inniunes  and  audit  procedures  related  10 

UL<'  <'M  IK  ''.  inn '  I!  .11  Ill  II V  [luutnmriiieiii  nmiirmii  lo  iiii'  4'xijrni. 

neccssaiT  to  acliiove  the  audit  obiectlves,  considering  ttie  iM 

otdedlves  te«.  Internal  control  over  flnanclal  tcportli^i,  lieneialls'. 
ttua  mmid  mciude  consideration  ot  ttie  overall  design  or  the  entili''s 
phyaicBi  Becunly  pn^ram  at  relevant  lacinlies. 


AC-6.1.  Establish  a  phy^cal  secuilty  management  progiam  based  on  tisk 

laak  maniiganent  b  me  loqndation  oi  an  ettective  phyaciu  security 
program.  Hie  ^roadi  to  good  secunQi  is  fundamentallv  similar, 
regardless  oithe  assets  being  protected — imomiiition  ivsti-mi, 
binidir^orcnlicalinihetructiire.RisKim(i.ii;i  iiii  ii[  nmu  iiii"-.ior 


an  effectivesecuriw  program  are  discussed  in  section  3,1,  In 
addiUon,  Ihe  lesUmonies  Technologic  to  Secim  Federal  Bul\ 
(GACM2-687T)  and  Keg  Eleaienls  of  a  Risk  Management  Am 
AOfl  OT 

effectiveness  of  the  enlili's  policies  and  practices  peilaiiiins  ( 


controlling  badges,  ID  cards,  smartcards,  passlteys,  and  othe 
unCiT/  lli.!vi<  i.w, 

coiljolling  encrv  during  and  alter  normal  busmeas  hours, 
ctaitioim^  me  aitiy  and  remoral  of  can^iiner  resources  iro 
exfoique.  equioment  sua  storage  media)  fiTan  Oie  BaSMs. 
miuiagliig  enierseiicies. 


.>siiiririi:< 
Muriiriii' 


In  some  Instajiees  iin  endly  may  nol  beahle  lo  fully  control  their 
pineal  setnirity  posture.  For  example,  leased  space  in  a  building 
managed  bj  anotlter  oieanization.  In  this  case,  Che  entili'  shotild 
consider  coiopensadi^  controls  and  ensure  that  contingency 
planrur^  adequately  considers  their  lack  of  control  over  physical 


As  witli  anv  Ivpc  nl  Im-iiiH  -is  ai-lii-iij-.  plijsiial  security  should  be 
nionitored  10  I'liMiic  ihiii  ;uTiiiii])l[sliiiig  (heir  Intended 

techniques  to  ensure  that  they  aie  eiXecUvely  Inqilemented, 


visitots  fbould  be  controlled.  On  occasion,  peisons  olhei  than 
legulariy  aumoilzed  netsonnei  mav  be  giamed  access  to  sensitive 
iin'Fis  or  ijiriiii.ii's.  siii'ii  jis  iiitmmovi'c^s  irorn  iiriouiiTfodli^, 

III;  [iniiri'  iji'[»iMi[ii'i.  I'diiiincioin,  aim  uic  uuii^entor 

unPMK'ciL'ii  Msiror  .lonp  01  inese  vBlrors  shouid  be  granted 
imresliklpdriccfss,  Coiittolsshould include 


i<leiitaital.ioii<lin'lc<i. 
contnllii^  uie  reception  area, 
logging  mvisitBrs. 

escorting  visitors  while  In  sensitive  ateas,  and 

[lenoaicallv  changing  entry  codes  lo  prevent  reenlZ7  by  xserious 

visiHirs  wno  raicnt  nave  knoiriedge  oi  ine  code. 


AC-6.2.  EslabUsh adequiito  !»■'  Vm-la  wi'i  iiiilv  i)iin<ril  i ni  vibK 

ranmeter  aecmiw  is  me  first  mie  oi  deii 
raiise  ivuwijmdiiic  tiairiHueh  u>  liiriiii.ii's 


{CCTV], 


•  extendii^  peiimeler  baiiieis  to  prevent  unauthorized  access  and 
reduce  exposure  to  eiploslonG. 

Perimeter  securi^  includes  protective  controls  such  as  fencing 
around  sensitive  buildings,  concrete  and  earthen  and  other  banleis. 


appropmie  gaus  and  locks,  esueclOF  lighting,  guaid  posts,  secuiity 
puttols,  and  detection  and  monitoring  systen^. 

A06.3.  Eslabl^  adequate  security  at  entrances  and  eidts  tuisi'n  •m  nhk 

Access  to  fedliUes  ^ulo  uc  jm.  i  ■!■  ri-Minii.'i  11.1,111^.1 

legitiDiaLe  need  for  access  111 1  -   '  ji.i^-.  ii..^iii 

should regulariv review ini'  jlm  -.1,-  .1 1  Ir. 


manual  door  or  cipher  key  locks, 

magnelic  door  locks  that  require  the  use  of  electronic  keycards. 


.  enUy  logs,  and 

lAiiSGued  keys  or  otlter  entry  devices  dionld  be  secure.  Issued  keys 
or  ottier  entiy  devices  should  be  regularly  Inventoried. 


AC44  Ealablidi  adequate  in 


and  hnes— that  ar 
jd  an  physical  access  points  and  threats  to  the  sensitive 


•  developed  cost-eSecUvesecurilyointrels  overall  phytical 
iiccees  points  and  addressed  all  s^nificantttueals  lo  sensitive 


)nibmationB  entered  1^  anlhorized  personnel? 

[1  of  a  partition  that  Slops  at  tfteundei^e  of  a 
1  when  the  partition  serves  as  a  wall  for  a 


Mm  tile  ,■  iif  ^,iimljii  lo 

those  for  perimeter  and  entry  securitvtforexamult,  lueks, 
smvelUance  systems,  as  well  as  using  and  controlling  badges,  ID 
cards,  amartcBrd^  passkev.  and  other  entrv  devicEs).  Additional 
consideiatkinE  include 

•  kigs  and  authorization  fOtienioval  and  return  of  t^tes  and  ottier 
storage  media  to  thehbraiy. 

•  cmnputer  temtlnal  locks, 


AC-6.5,  Adequately  protect  aga 


in^ilemenled  for  any  building  snould  be  based  on  several  bctots. 


mcludiiig  me  perceived  nek  associated  mOi  the  buildii^  and  Ob 
tenants,  engineering  and  architectural  feaslbiUty.  and  cost 


PE:-2  PhjisicalAceeBBAuthomationB 

PE-3  Pbralcal  Access  Control 

PE-4  Access  Control  for  Tiansmls^on  M 

PE^  Access  Uontrol  for  DIbdIb;  Medinni 

PEU6  Monitoring  Phvaical  Access 

PE-Y  WSitOtCOTltTOl 

PE^  AccessEecords 


}.  Configuration  Management  (CM) 

Conjuration  iiiaiia^icLi 


desktop  and  server  conliguraiions  rhai  defme  authorized  access  lo 
specified  devices  and  tliev  con^iare  these  settings  against  a  basetan 
poBigr.  At  a  system,  level,  iretwork  nmnageraent  provides  system 
adimmstiBtois  vnth  the  abfliiv  to  control  and  monitor  a  congmtei 
newotk  tiom  a  central  location.  Network  management  systems 
obtain  status  data  ^m  network  components,  eiiaoi?  network 
managers  to  make  conilguration  changes,  and  ^iit'rt  ihcm  oi 


acceptable  svsmm  conSgurahon  requiremenls  and  ensure 
ccanpliaace  with  them.  %stem&  with  secnre  configuratioiE  have  less 
vulneiabUlty  and  are  better  able  to  Chw^  network  attacks.  In 


httc://clttcWj?j¥  !\i9l-Rpv-  TVpically,  checklisls  arc  created  by 
ttitonnatlon  (ediiiol<^  vendors  forttielt  own  produels;  however, 
cheddstsareaEso  created  by  other  entities  such  as  consortia, 
academla,  and  government  agencies.  Security  configuration 
chedtlisls  are  a  series  oT  instructions  for  eonlteuting  a  product  to 
particuiar  operationai  environment  Some  examples  of  the  t^pes  t 
devices  and  software  for  H*ich  security  checklists  are  intended  a 
as  follows: 

«  general  purpose  operating  sterns 


software 

■  infrastructure  devicES  such  ss  routers,  Grewalls,  virtus 
netwoilt  (VPN)  gateways,  hitniston  detection  systems 
wireless  access  points  (WAP),  and  telecom  systems 

I  application  servers  such  as  domain  nam 
dynamic  host  configuration  protocol  (DHCP)  se 
servers,  airnile  mail  transfer  protocol  (SMTP)  se 
tiaiBfer  protocol  (FTP)  servers,  and  database  se 

•  other  network  devices  such  as  mobile  devices,  si 
copieis,  and  appliances 


untainingasyatem  or  network.  Throi^configuralion 
management,  the  composition  of  a  system  is  fcrmally  defined  and 
tiacked  to  ensure  that  an  imauthorized  change  is  not  introduced. 
Changes  to  an  infoirnation  system  can  have  a  significant  impact  on 
the  security  of  the  system.  Documentmg  infonnation  system 
(Ganges  and  assessbtg  tlie  potential  impact  on  the  security  nf  the 
^Etem  on  an  oiling  basis  is  an  essential  aspect  of  maintaining  the 


secunlf  posture.  An  effective  entity  configuration  nuuiagranent  and 
control  poHcv  and  associated  procedures  are  essennaJ  to  ensunng 
adeciuale  considerahon  of  tfie  potential  secuntv  impact  of  specific 
tlmiiacs  ro     iii[(irm:iinin  system.  Configuration  maiagcmcnl  and 

ii:irih'.,ii  I  ^<  <i;^'. ,  .  I'.       iirmware  components  for  tfie  entity  and 
an  accurate  Inventorv  of 


iiion  mani^ement  process  consists  of  fou 
h  of  which  snould  be  described  m  a 
nienr  olan  and  unplemenled  according  to 


proposed  cliaiLges  on  tfie  l>asts  of  costs,  benefits,  and  nsks,  and 
Qeooe  wneuberm  perrmi  a  cnange 

•  cont^guraeion  status  atmomamg:  piocedures  Sa  documenting 
and  reportmg  o«  tfie  status  of  confignration  itans  as  a  ^stem 
erolves,  Doeumentatliai,  such  as  hisloncal  change  hsls  and 
Clonal  deigns  or  dntnings,  are  geneiated  and  kept  hi  a  iibiaiy, 
thereby  alloinng  entities  to  continuously  Itnow  ttie  state  of  a 
^Htems  ci^iGguration  and  be  m  a  posiUon  to  inalte  infomied 
decisions  about  clianging  the  configuration 

i  ctaiUQi'falwit  audtUnq:  ptocedui-es  tor  detemunmp  ab^nnient 


£^ta]>lisliine  controls  ovei  me  n 


dionpte  processingr 


iisiiuu  oouiQ  De  mpleraeined,  inerebv 
trronf  oil!  processing  mat  is  assumed 


Bffecuve  configiuauon  manoEemeni  prevems  unaiithonzed  changes 
lo  tnfomialion  system  tesomtes  (for  example,  software  programs 
and  hardware  conflguiations)  and  provides  reasonable  assurance 
Liiiii  svhiTiiiisanr  niriiiniin'M  aiiu  (nMimr.iiiii  hi'ciin'iv  aiiu  tis  lEki^ritieu. 

The  absence  of  effective  svstem-tevet  conSguratlon  management  is 
a  senous  nSK  tbat  leopaidizes  an  entitv^s  atnli^  to  si^ort  current 
and  poiaitial  reqinremenls.  Without  effective  conf^iiratiaD 
management,  users  do  not  have  adequate  aeaurance  that  (tie  Qiatem 
ana  nCTOOrK  win  perform  as  intcnuea  ana  to  the  extent  neeaed  to 


in  reLalecl  f  onliginatioii  iiiaiiageraem  pragraniniatic  areas  of  capital 

IMUllhlMi;  JUKI  III VI 'HIJ 11111 11  Clllll.ll>!.  Jlllll  .SI'<10I1IV  HI'rVICIIH  111141  [iriJIlllCI. 

acguisiCloiL  lids  pabUcaHon  discusses  piactices  deigned  to  help 
security  manners  iderttif^  fOnding  needs  lo  secure  systems  and 


provide  stRitegiea  lOr  otilaimng  the  necessai;  funding.  In  addibon,  it 
provides  guidance  to  entitles  In  ^iplylng  risk  management 
pnnaples  lo  assiBtm  tbe  identification  and  nutigation  oFrtskB 
associated  ivlth  security  senvlces  acqutsltlons. 


Critical  Element  CM-1.  Develop  and  dociiiui  iLi  i  m 
Configuranon  nkaiifi^pnit 
be  developed,  document 
^iBtem,  and  application  I 


entltv  s  Systems  Development  Lile  Cvcle  1 SDLC I  metliodology."' 

An  effective  entitymde  SuLu  meinodoiogy  oelads  tne  procedures 
Enai  are  10  be  foUowed  when  systems  and  applications  are  being 
designed  gad  developed,  ss  well  as  when  they  are  subsequently 
moduied-  The  SDLC  should  piovide  a  stiuctured  ^loai^  for 
laenulymK  ano  QocmiientB^  needed  chmges  to  ctainiiilenzed 
operations:  assessina  cue  costs  and  botefilB  of  various  options, 
Including  the  ICasibiutv  of  using  off-tne-shell  software:  and 
designnft  developing,  testing,  and  iqiprovh^  new  systans  and 
system  modifications.  It  is  especially  miportanr  that^  for  new 


svstems  being  developed  or  ftir  major  enhaneemetus  lo  emstrng 
svsietns,  tiDU,  require  approvtoig  design  features  at  kev  points 


IliriiinilllJ  Mh'  lU'^riDiji 


The  design/development  phase,  includes  efforts  directed  to 
designii^  pragramming,  developing,  and  testing  the  system.  In  this 
phase,  the  entity  ehouliJ  define  the  system's  security  flinctloiial 


(e.g.,  access  contaHs),  assurances  (e.g.,  bacl^iound  checks  for 
Bjistem  devekjiers),  or  uKraBonal  practices  (e.fr,  seciiri^ 
awareness  tiaining}.  Hiis  lAiase  ^idd  also  include  testing  the 
technical  and  ^«tem  control  f  eatuns  to  ensme  that  th^  peif  omi  as 
intended. 

In  the  implementation  phase,  the  entity  configures  and  enaWes 
information  system  control  features,  tfslG  the  functionality  <tftiiese 
featiues.  Installs  ttte  system,  and  tests  Eg^sCm  pilor  to  pla^i^  It  Into 


operabon  to  ensure  that  it  meets  all  lequued  secunty  !t«ciCcatir>ns. 
Tests  should  hulude  iner  acceptance  testing  and  telated 
documenlBtion  of  thiB  teat  Design  reviews  and  system  tests  should 
be  flilly  documented,  updated,  as  new  reviews  or  tests  aie 
peif ornied,  and  malnt^ned. 


In  the  operation  and  maintenance  phase,  systems  aie  In  place  and 

dcvcloiJi'iJ  :iiid  (rstcd.  and  software  15  added  or  replaced. 


a  tnuisaction.  and  are  tvpicallv  used  to  assure  the  reasonableness  or 

prevenUve  or  detective.  Automated  controls  can  keep  invalid  data 
frcxubeuig  processed,  and  they  can  report  transactions  that  fail  to 
meet  reasonableness  criteria.  Manual  controls  performed  prior  to 
li^ut  can  identi^  problems  before  data  19  processed,  ^4ule 
momtormg  controls  peiformed  after  processing  can  identifv  eirois. 

Infomiataon  system  cmtiols  should  be  considered  throughout  the 
SDLC  process.  In  addition,  In  this  process  safeguarduig  provisions 
for  personally  identlBable  Information  should  be  reviewed, 
mcluding  conducting  privacy  m^laet  assessments  when  new  IT 
ssslsiaa  aie  under  development  or  s^nlflcant  modiflcations  ate 
made  as  required  by  OMR 

NOT  SP  80IW4,  dated  October  2003,  identifies  secunty 
conaideraljona  m  the  information  ^stem  development  hfe  cycle.  In 
addltirai,  NISr  SP  800-2T  provides  guidance  on  englneeilng 
principles  ror  aesigning  secuniy  mio  miormaiion  ^isianB. 


uonSgurabon  management  pouaea  and  pn>ceilui«s  should  desciibe 
me  eonflguracion  managemeiHBrocess  and  address  puipose.  scope. 


Monitoring  system  changes  and  analysis  of  their  impact  to 
determine  the  enect  01  the  chai^. 

Access  restnctaoiiB  over  changes  lo  tbe  svstem  and  Budilmg  c 
the  enforcement  arlinns. 

ijoiiiiuMiiiK:  nil'  "I 'I  mm  ^i.'ti  in"."  <  n  i  i  ii  n^'i  i'^ 

nflgm 


developed  outside  of  the  entity's  normal  software  development 
process,  inciudmg  the  ouisoureea  development  oi  software  and 
ctanmereiBi  or  oiner  software  acquired  by  mdividiial  useis.  Specific 
configuration  management  pohcy  considerations  lor  ^stems  that 
are  Internet  accessible  Onbound  or  ooftKiund)  should  address 
software  qiiahsf  controls  des^ned  to  prevent  secqnty  flaws  frtan 
bemg  introduced. 

configuration  management  plans  ^loold  address  configuration 
management  In  rernis  of  Qte  loiiowtng:'- 


accon^bshnig  ttie  planned 


■  required  coordmation  of  configuration  mBnagemeniactivitiea 

with  other  activities  (when) 
I  mDls  and  ph^cal  and  human  resources  reqmred  lOr  the 

execution  of  the  plan  as  wen  as  how  me  plan  will  lie  kepi  current 


II  system.  The  procedures  should  describe 
re  stored  and  retrieved:  diared  between 
Droteded  by  access  controls:  and  stored. 


CM-I  Related  WSI SP  801^53  Controls 

CM-1  ConfiguiahfBi  Mtuiaaeineiit  Pobcy  and  Procedures 


Hie  enaty  snould  maiMam  cun^  con&giuation  uuonnation  in  a 
unnal  configuranon  baseline  that  contains  me  configuration 
inioniifLUDri  icinriiuiv  (iiFsiunmiKi  m.  PLSEhir^iiic  i.irrii'  Miirini!  fl  unHiiirifi 
or  oroaiiciTOmrxinonisnii;.  i.iiiniiaiiriiiii.iii  uinii'iiiiiw,  runs  Miinryvcii 
chaises  from  mose  hasermes,  constnuie  tjie  current  connauraiion 
irMi^niifiiKiri.  iiienFfiriiMiiu  ih'  jj  <iijm'ni.  jinn  roriMm'iK'iisivi'  [mlsi'iiih^ 
invifnioTV  til  niiniwFin^  siMiwnn'.  ;in(i  iinn^FiRi.  fiihi  iisiionici  ih' 
Riuiihi'iv  vitiKriii'u  ii>r  m'nii"M'\.  WM'vint  i'C]i>ii'4  411  iii''  iiivniKirv 


CM-2  Related  NTST  SP  miK^t  Cmlrnl^ 

CM-2     Baseline  Coniigui^on 

(jM-e     (lonftguration  Seniles 

CM-S     bifomiation  System  Component  Inventoi:; 

3A-6      InfOrmatioii  SyBtem  Documentation  


Control  Techniques  and  Suggested  Audit  Pniceduies  for  Cridcal  Element  CM-2 


Critical  Element  CM-y.  1^'operly  iiiii)Kii\/.e,  lesl,  apijruve,  (liifli,  aiul  ctmlioi  all 
configuration  changes 

An  entity  anoiUd  properly  control  »11  configqialion  chai^ea;  not  only 
diangee  made  m  mlemal  developers  but  Edao  changes  made  tn 
external  developere  orconttactorafseesM-v  for  activities 
pertDiiited     pxt^ntai  llord  partiesl.  Hus  mdudes  a  wide  fbt^  of 
a(tinti("i'it;inmi!Kiln  the  cstaohshmentofafbimal  change 
nimuiiicmciii  iiroi  css  ^LaIl^ement  Should  authorize  and  ^rove  all 
coiiirinirnTioh  i^iiiiiiiii^s.  Tpst  plan  sianoards  should  he  developed  for 


AuQionzatioiis  tor  system  and  ^ucatioti  software  modUications 
snouid  be  docamenred  imd  maintained.  PoHdes  and  procedures 


authority  for  approvliig  proposed  system  and  application  changes 
niui  itHniaiiai'jiiii^tiiiit  i]i'v<<]r)niiiiriii  iiiiii  ntiHiiiirtJoii  nas<<]iiiirH. 

The  configuration  status  accountuig  process  records  and  reports  me 
status  01  configuration  items.  The  rouowing  are  minimum  data 
eionents  lo  he  tracked  njr  a  configuration  iiem;  i  u  Bs  mitial 
qqiroved  lersion,  (2  line  status  of  reijuestea  changes,  and  laittie 
In^iienientatlon  status  of  approved  changes.  The  levei  or  detail  and 
^)edfic  data  required  may  vary  aecordir^  tt)  me  infomialion  needs 
□tthe  pnnect  and  the  cistomer. 

A  discQUned  process  lor  testang  and  ^proeing  new  ana  modified 
Egctema  beiore  menunplemenCatlai  fs  essential  lo  make  sure 
systems  hardware  and  related  programs  operate  as  intended  and 


re  mCroduced,  Test  ptsns  snoiild 


moditicaTiojiE  uiav  require  less  extensive  lesimg:  however,  changes 
should  stili  be  caieCuDy  controlled  and  ^proved  lonce  relatively 
minor  program  code  dianges,  it  perfoDnedmcorrecll)',  laQhavea 
significant  impact  on  secuntv  and  overall  data  rehahOitv. 

Onceachar^  hasbeenauinoii^o'i.  ii  --ii'iiliil  iiiniEoiiii'iiinL. 

written  into  the  program  coiii\  .in  -.ii'ii  m  n  m-,-  ii'iim  imi'i.'i. 

Because  testing  Is  an  iteiai  IV  I-  luu      iimi  i'.  ^j-  in'  \  lyi  m  ai 

several  levels,  it  is  miEKirtaiu  ui.ii  uji  i  iiiiiv  aiiLn'jo  ii'  a  innii.iL  sci  of 
configuration  management  prottuuics  oi  suindards  lor  pnontijing. 
scheduling,  testing,  and  approvuig  changes.  Thtse  procedures 
^ould  be  described  in  the  entuvs  configuration  management  plan 
and  Should  mclude  reqmremenls  fOr 

•  tanldngandschedullngctnillgutatlonchangessothatauthoilzed 
change  requeals  are  not  kist  and  are  mvlemenled  efficiently  and 
m  accOTdance  wiUk  oser  needs 

•  prepanng  det^«d  soecifications  lOr  the  coiifiguralion  Change, 


developu^  related  coiiiigiiratioiidiatieea  lo  s:/stem 
aociimenratjon.  mchiduighaMwareaocnmentatioTu  oDeralmg 


tlU'llllJLUIlL  -ir<WA'  DIU'IC  III  |:<HI<1  ll>  MlfHJUII  hlKlllll  ll^;LIK)l]S  iiriM 

hmcoonal  reqiUremenls  bv  sjsteni  testeis;  and 

omammg  filial  asei  accemance  oniv  att^  testing  B  successfully 


veislon  oi  a  Pribram  available  In  case  me  imegnti'  oi  an  installed 
version  is  tailed  mio  quesOon  and  u  i  a  penaanera;  htstoncal  record 
01  OKJ  iiniciaiii  veisiiiiiN. 

aeparaie  noranes  snouiu  oe  esiaousneu  lor  programs  bemg 
deveiopea  or  mouuieu,  Drofiiams  oeing  tested  m  visas,  ana 
pn^rams  aonrovea  lor  use  luroauciion  programs  J.  iicceffl  to  6neae 
floranes  snouiu  he  unuieu  anu  movemern:  oi  programs  ami  data 
among  tnem  should  be  concroued, 

Inadetpately  ctxittoiied  softwai«  iitnailes  litcicase  ine  risk  thai 
utiatunoitaed  changes  could  be  made  eltheiinadvenentlf  or 
debbeiately  roF  fraudulem;  or  maiicioiis  purposes,  m  addition^ 
InadeiiuaEe  controls  over  pragrams  being  developed  or  modiiled 


lllllll>iiSlllll<  U>  llll'IVJ'  moil  WDtKL  l>l 

■  unauthonzed  changes  Lo  eiHkerteBt  or  production  progrHms 
could  be  made  and  remain  undeiecied. 

I  in  libraries 
ienUHedorlost, 


changea.  Specmcallv.  such  software  can  be  used  a 
•  produce  audK  trails  or  program  changes  and  mi 


iinii  iroiii  user  Kwuiimu  unKiutiiiiii; 


Many  federal  agencies  have      ihwi  h^mg  oiurjiiitinn  ihat  involve 
niijiiiiMiF  KHMiJoris  iiriM  n'tiMut'  ,'i  4'cioieiiii:ih'ci  i'Iioii      imickii.ivi'  and 
ri>iii.i4MifM  Mihi.niMiLKiEi  ;uH]  jiMiiiriiiriiiruiLin  (ii  rii'iv  i>i  ifvisfiM 
software.  For  example,  an  enOw  mav  have  a  cenUal  software 

I.  luive  iwi.i  iir 

more  regional  daiapiocessmg  ceniers  nummg  me  same  software. 
Once  amodlHed  software  program  has  been  proved  jot  use,  the 
cnai^  should  be  communicated  lo  all  affected  parties  unii 
distributed  ana  mipiementea  m  a  wav  that  leaves  no  doubt  about 
when  nisio  begin  affecting  processli^  To  accongtlsh  inese 
oiMix'iivifH.  ;iti  I'Muiv  siioMiii  Miivi';mii  loiiow  (iNuiuiiNtKN]  nnK'iHliirea 
for  announcing  approved  changes  and  their  implementation  dates 


be  unproperiv  oroeessed  di 


implementation  of  uruTOfoved  and  possibly  malicious  srftware, 


•  continued  use  of  outdateil  i-eislons  of  software,  and 

processiiig  ofsunllai  ilala  ai  different  locaiions. 

WiUi  independent  processing  sites,  each  site  is  responsible  for 
unplemeiitrng  the  correct  version  of  the  software  at  the 
predetemuned  date  and  time  and  maintaining  the  doaiiaentation 

sottware  through  one  or  more  central  computeis  or  servers 
inininuzes  the  risk  that  the  software  will  be  inconsislently 

The  use  of  public  domain  and  peisonal  software  should  be 
restncted.  It  19  mi^mrtant  llial  an  aitoj  hara  dear  poliaes  regarding 
the  use  of  peisonal  and  public  domam  software  bt  empkiyees  at 
work.  Allowing  envdovees  to  tee  theli  own  softirare  ot  even 
diskettes  for  data  storage  that  have  been  used  elsewhere  iocreasea 
the  risk  of  mtjoducmg  vmees.  It  also  increases  the  risk  of  violating 
copyd^t  lairs  and  making  bad  dedskns  based  on  Inconect 
mfonualion  produced  bv  erroneous  software.  As  menlloned  in 
section  CIttS.  vnus  identifkation  software  can  help  contain  damage 
ftotn  viruses  that  may  be  Introduced  hom  unauthorized  use  of 
public  domain,  &om  personal  s<tftware.  or  &omcomipted  diskettes. 


CMS  Configmation  Change  Control 
SA-2  Allocation  of  Resouices 
sAS  Life  Cycle  Support 
SA^  Acquisition 

SA-8  Security EiiBineetincPrbiciples 
SA-10  Developer  (;onllguralioii  Man^ement 
MA-ll  Developer  KecuriO' Testing  


Cmml  Teclmiiiues  and  Suggested  Andit  ProcedureE  for  Critical  Element  CM-3 


MomComig,  sotneomes  called  conilgutaticin  audHs,  should  be 
periodically  conducted  to  detennhie  the  extent  to  which  the  actual 


documentatioii  have  been  achieved  Dy  Che  dsEdgn  and  that  the 
deragn  has  been  accurately  documented  in  the  configuration 
document  The  purpose  and  benefits  of  the  process  include  the 
following; 

•  Ensures  that  the  product  de^gn  provides  ttie£^e<tto 
perfarmaiKe  c^iabibnes 

•  Valioates  ijip  inipgnis  of  ijip  crmUgutaiion  documentaflon 


•  tnsutes  a  Known  connguiauon  as  me  oasis  lor  operatkat  and 
maintenance  inslxuctiDnS)  and  training 

Security  settings  ibr  network  devices,  operating  systems,  and 
infrastructure  applications  need  to  be  monitored  periodical^  to 

most  restrictive  mode  consilient  with  the  information  system 
operalinnal  reqiiirenienls.  NIST  SP  8Q0-70  pmvidps  guidance  on 
conliguration  settings  (for  example,  t'lieeklists)  for  Infommfion 
technology  products, 

A  process  and  related  procedures  needs  to  be  established  to 
document  the  results  from  monitoring  configuralion  items  and 
ensure  that  discrepancies  are  properly  corrected.  For  example^ 
networlt  and  host  environments  should  be  scanned  on  a  regular 
basis  to  deteimlne  whether  patches  have  been  eHecClvely  ^lied.  A 
formal  process  with  central  management  helps  to  ensure  patch 


canpUance  vrlBi  the  netwodt  configuration.  Audit  results  need  to  be 
lecoided  Indicating 


verification  results,  and 


late  software  on  a  trnieiv  oasis  to  orotect  against  known 

mii.wiin^siioiJK]  iHFHi'juinifM  aim  iJiMJuiifM  in^iiK^ii.iv  i^i  lamm  iikuunsi, 
Knoim  vubiQrBbintKs.  in  aadiDDnio  penodically  loakmg  tor 
sofCvnire  vulnerabilities  and  Ibdng  them,  secuilty  sottvaie  snould  oe 
KqiL  cnrreni  dv  establishing  eneclive  nrogranis  lor  paicn 
iiiHiiniu>iiMiii.,  viniti  i)niiecLii>ii.  niui  (ii.iieri'iiieniiiii!  uireniK.  Aisn. 
sottmue  releases  snould  be  adciuaCely  contioued  co  mevem  ine  use 


iTiiniiiiniinr.i'iiii' 


software  programs  conMbuie  lo  the  growUi  in  softwaie  fkws.  While 
most  flaws  do  not  cretite  secunl;  vidneiabiulKS,  uie  potential  tor 
these  etrois  reflects  the  difflcuUy  and  con^ilexiCy  Involved  In 
dehvering  liuatworlhy  code. 

The  federal  government  has  taken  several  steps  to  address  secunly 
vulneiablllUes  that  alCect  entHy  systems,  Inchidliig  efEoits  to 

OF  example,  0MB  FISMA  repoitmg 


BOfCware  vendors,  and  omer  computer  secuntv  ejjwrts  include  tne 
foUowlne  elements: 

•  centiaUzedpatchmam^emeiitsupponaiidciearlyasstened 
responfabintie^ 

•  senior  eitecutive  support  and  assuFance  that  ^ipropriate  patches 
aledepiove4 


curreDt  lectmolog;  inventory  of  all  hardware,  software,  and 
services  Oat  are  used; 

risk  asseesment  based  on  the  criQcality  df  flte  vulnerability  and 
Importance  of  the  system; 

thorough  testing  before  Ihe  patch  Is  qiplied  m  a  producHon 

monitoring  through  network  and  host  vubietsbUity  scannliig;  and 
timely  notification  of  relevant  vuhierabilltles  and  distribution  of 

critical  patches. 


Protecting  infbrniatlon  systems  irom  mahclous  computer  viruses 
and  worms"  is  a  serious  challenge-  Computer  attack  tools  and 
techniques  are  beconuDg  increasingly  aophisticatei^  viruses  are 
^ireadlng  fester  as  a  result  of  Ihe  ina«!isliig  ccnnecUvlCy  of  today's 
network^  ctaiunerdBl<iS4he-shelt  products  can  be  easily  esploited 
for  attack  1^  all  their  users;  and  tbere  is  no  "silver  bullet"  sohiliim 
such  as  firewalls  ot  encijplion  to  protect  fs^ma  To  combat 
viruses  and  worms  specifically,  entities  should  take  steps  such  as 
eiisiu^ng  tliat  security  personnel  are  adequately  trained  to  respond 
to  early  warnings  of  attacks  and  keeping  iuitivttus  programs  up-to- 
date.  Strengthening  intrusion  detection  capabilities  and  effective 
patch  management  programs  also  help. 

According  to  Nl^,  the  information  system  including  servers, 
workstations,  and  ncblle  computing  devices)  should  In^ilenient 
maUclom  code  piotectlon  that  Includes  a  tapabUlty  tor  automatic 
updates.  Virus  definitions  ^ould  be  kept  up-to-date,  ^rus-scaiming 
software  ^lould  be  provided  at  dlUcal  entry  points,  such  as  letnote- 
access  servers  and  at  each  desktqi  ^/stem  on  the  network.  Anti- 


mlerconnected  networte.  The  tev  chaiacteretics  ot  IPv6  are 
deigned  lo  mereiise  address  space,  promote  OexIbUity  and 


IS  JUKI  iii]iiL(^iiiifr]iJu.iiMi  uijiiiance  for  VoIP,  and 
jntral  ttie  use  of  VoIP.  In  addMon,  mmiittir  ant 
review  procedures  snould  be  established  ro  ensure  security 
effecbvenees.  NISi  aP  800-58  provides  gmdence  on  secunly 
considerataoiis  tor  vOIP  technologies  empkq^  m  mformaQon 


An  eflfectlve  security  prcffunranasalst  In  entity  efforts  romldBaie 
and  re^Kmd  to  Ihese  emerging  cvberseciiriOF  threats.  Rrst  or  aB,  me 
nslis  01  emerging  cvbersecun^  threats  should  be  aadressed  as  part 
or  required  enQR^de  infoimation  security  programs,  which  include 
performing  periodic  assessments  of  risk.  Secondly,  security  controls 
conunensuiale  with  the  identilied  risk  should  De  imiilementea. 
Hiiidly,  ensuring  secuniv  awareness  tramuu;  lor  entiiv  oeisonnei  is 
iTiiicju.  i.jiHEiiin'niiisivi'  ornciMiiin's  lor  iioM'CMni/.  n'Moniii^  unii 
le^Mnding  to  secun^  mciaeius  shouia  be  nnpiementeo.  An 
eHectlve  security  program,  related  control  techniques,  and  proposed 


audit  ptocedutes  ate  discussed  in  Qie  secuii^  management  section 
ofFISCAM, 


As  part  of  Ihe  enmv  seaintv  program,  effecciTO  eonflguraUon  of 
layered  5ecuii(v  iDeJeiise-in-Depth)  nuC^Les  the  risks  &oni 
mdmdiial  c\'bcTsccurit\'  threats.  I^eied  security  implemented 
wHhiii  ail  ^iiiitv.sseciiniv  architecture  includes  tne  use  of  strong 
passwords,  patdi  management,  antivims  soflware.  firewalls, 
software  security  settings,  backup  £les.  vnlnerabilitv  assesanenls. 
and  Intrusion  detection  systems.  Figure  6  depicts  an  example  of  how 
entities  can  use  layered  security  controls  to  nutigate  Hie  risks  of 
mdividiial  cybeisecutitv  threats. 


Pioceduies  should  ensure  that  on  y  irr 

installed ininfomialionsysic'iii';  'Noiii'nii''iii  snir^MH' m.iv 

vukierable  to  malicious  cotn""  ■-■■ww  >■    n,  - ''.  l,i 

As  mentioned  previously  uiu  II I  ^  '.i   '  '<   i.n  .i"i  m  k",  mi^'' 

data  processing  operallon.s  t'<h>  m  i<i<'  i<<i  .'-r  

require  a  coordinated  effort  I      I  I  dt.  nb  Uo 

and  inqllemenlation  of  new  or  revised  software.  This  can  include 
virus  protectioD  softwaie  and  operating  system  patches.  iSnce  a 
modified  software  program  has  been  ^iproved  for  use,  the  chat^ 


aring'".  Tliis  may  ini 

Ik!  IIIL>W!III  nilC^  141 1' 

iisiru:  iifcnriiMi 
miituiiiu'. 


Critical  Element  CM-6.  ^propriate^  document  and  ^prove  emei^ency  chaises  to  the 
conf^uration 

Eknergency  changes  to  the  infomkBlicHi^stemshcHild  be 
documenled  and  approved  by  appropiiale  enti^  officials,  either 
before  flie  change  or  after  flie  feet  In  addition,  ^jpropiiitte 
peisonnel  should  be  notified  to  provide  anabiBls  and  fbllow-up. 

It  Is  not  uncommon  for  program  char^ps  to  be  needed  on  an 
emergency  basis  (o  keep  a  system  operating.  Seme  plications, 
such  as  payroll  |itooessing,  are  petfonned  in  cycles  that  must  be 
completed  by  a  deadline.  Other  systems  miEst  be  contmuously 
available  so  that  the  operations  they  si^ort  are  not  laterrqiled.  In 
Ihese  cases,  the  risk  of  missing  a  deadline  or  dlsnmling  operations 
may  pose  a  greater  risk  tlian  that  of  temporarily  SBSpendmg 
program  diange  controls.  Honever,  becaiee  of  the  increased  risk 
that  errors  or  oflier  unauttiorized  modifications  could  be 
In^lemented,  emergency  changes  shoold  be       to  aminlmum. 

It  Is  Iniporlant  that  an  entity  fiJlow  establlBhed  procedures  to 
peifbrm  emergency  softnaie  changes  and  reduce  the  risk  of 
sospendlng or abbrevlatii^  normal  conirols  Generally,  emergency 
procedures  should  specif 

«  i^ien  emergency  softwa II'  i  li.r    n  i  ;  

•  vdiomayauttioriieemeigi'ii' .'  ili.mi^i-- 

•  howanergencychai^esareto  Ce  dotumentetl,  and 

•  within  vrtiatperlod  after  Implementation  the  chaiige  must  be 
tested  and  ^^ffoved, 

Mnlring  eme^en^y  (Ganges  often  Involves  using  senmljve  system 
ntilitles  or  access  meOiods  that  grant  much  broader  access  than 
would  nomnally  be  needed.  It  Is  lioportant  that  such  access  is 
strictly  controlled  and  that  their  use  be  pronqiUy  reviewed. 


Shoitlf  !dtet!m  emeigency  chm^  isinadc^  Che  raufd  configuiati^ 
manzigemeiit  controls  should  be  np^d  retroactively.  That  Is,  the 
change  ^UHiIdbe  subjected  to  the  same  review,  testing,  ^d 
apptovil  process  fliat  ^ly  to  scheduled  changes,  in  ftddiUon,  logs 
of  emeigenc;  changes  and  related  documentation  should  be 
periodically  reviewed  by  data  center  management  w  security 
admlnistratois  to  determine  nliether  all  such  changes  have  been 
tested  and  have  received  final  ^proval. 


I.  Segregation  of  Duties  (SD) 


EifectJve  segregation  of  duties  starts  wii 
policies  and  procedures  that  are  impleni 
^licalicm  levels.  Work  responsibilities 
(hat  one  individual  does  not  control  all  c 
For  esamplB,  while  users  may  authorize 
progratnraeiB  should  not  be  allowed  to  ( 


groups.  Dividing  duties  this  -was  dumnishes  the  hkehhood  that 
errors  and  wrongful  acta  win  go  undetected  because  the  activWes  of 
one  group  or  mdrndaal  will  serveasacheckonthe  activities  of  the 

InadeguaCel;  segregated  duties,  conveiself,  inci«ase  the  tiak  Qiat 
erroneous  or  fcuuJulent  trareactionB  could  be  processed,  fliat 
mqin^rer  program  dianges  could  be  nrqilemented,  and  that 
conputer  i«sources  could  be  damaged  or  destroyed.  For  example; 


tugqiropiialely  increase  payments  to  selected  individuals 
without  detection. 
«  A  computer  pn^rammer  responsible  for  authorizing,  wntm^ 
testing,  and  distribulii^  program  modificauons  could  either 
inadvertently  or  deliberately  unplement  computer  programs  that 
did  not  process  transactions  in  accordance  with  management's 


ns  operations.  These  smaller  enlilies  may  rely  more  extensively  on 
snpervlsoiy  levlew  to  conttol  activities.  Slrallaily,  activities  that 


involve  exCcemely  laige  dollar  ttansactions  or  are  omerwise 
Inherenuv  ilsky  snouM  be  divided  aioratg  several  Iniittvlduak  ai 
Bulyect  to  relatively  extensive  supervisory  review. 


Determining  whether  dulies  are  adequately  segregMed  and  that  the 
actmues  oi  personnel  are  adeqiiateiv  controued  mvoivea  assessing 
the  entitvs  eSortE  m  perfomiiiig  each  Dt  tne  critical  elements  listed 


Critical  Element  SD-1.  Segrejiah^  iiK-oniii^mblc  Hiirics  siiid  csiMhlish  related  pdides 


and  revlenlngtiaiisactlons  should  be  sepatated.  This  concept  can 
also  be  applied  to  Ute  aiBhomation,  testing,  and  review  of  conqiuter 
program  changes. 

Segregatang  duQea  begms  by  waahlBhing  md^wndent 
orgamzahonal  groiqis  with  defined  fimdions,  such  as  a  payroll  unit 
re^wnaible  forpnjiaring  payroll  transaction  fiqmt  and  a  data 
processmgumt  responsible  tbrprocessuigngiut  prepared  by  other 
ands.  Functions  and  lelated  tafdcs  perlOtmed  1^  each  unit  should  be 
documented  tor  the  unit  and  writlen  in  job  desc^JUons  and  should 
be  clearly  commnmCBled  to  personnel  assigned  the  re^KUisibilities. 

Both  physical  and  logical  accEss  controls  can  be  used  to  enfwce 
many  eMSts  polidea  i^arding  s^iegalion  of  duties  atid  should  be 
based  on  organizational  and  individual  Job  respon^Dilles.  (Access 
control  IS  discussed  in  detad  in  section  3.2.)  For  exanqile,  logical 
access  controls  can  preclude  computer  progranmteis  fram  using 

-with  qiphcahons.  Similarly,  physical  access  cciitrols,  siK^as  key 
canls  and  a  secuil^  guard,  can  be  used  la  prevent  unauthoilzed 
mdividualB  ftom  entermg  a  data  processmg  center. 

SD-1.1.  Inctmipatible  duties  have  been  identified  and  policies  m^ilemented  to  s^regate  these  dudes 
Management  should  have  analyzed  <^raGions  and  identified 
incompatible  duties  that  are  then  segregated  throu^  policies  and 


oisanlzaCiona]  divnons,  AMtouehmconipatibie  dubes  may  vaty 
Itoin  one  enClty  to  anothei.  the  loUowliig  functions  aie  geneially 
performed  bv  diffeFem  mdividDalB:  mformalion  secunw 
management,  EgsMms  design,  ^UcaOonsprogtammit^  Eg«t«nis 
pi[%ranunli%  quality  assuiance  and  resting,  llbiaiy  managmeni/ 
char^  managemenl;.  cormmteroperationB,  produclioQ  control  and 
scheduimg,  data  seointv.  data  admmlstistlon,  network 


I 'I  writ)  (iin'il 


oyscents  de^gn  is  tlie  function  oi  identifyiing  attd  undeistandlng  user 
mformatun  needs  otmI  tzBnslBtmg  them  mm  a  requirsnails 
ironir[ii>rii  r.njii js msimt lotMiiifi asvsri''iii. 


iiiiic'114  111  iissiii'riiic'i]  liiiii  LKiiiitiih  III  rKirdi'cifiiii^i'  ^iiii  iiiii('ii(>ii;ii 
!t>eciBcatK«is,  Testing  may  also  determine  whemer  approjirlate 
procedures,  controls,  and  aocumentaClon  have  been  oevek^^d  and 
iiii[>h'rrii'riu><]  iii'M>n>jiiir>niv;Li  ik  urjirihfii  hi  [>iiu'i>  i.ni^svsM^in  iriu> 


Libiaiy  nmiasemcnl/chansc  raaiiagemeiit  is  Ibe  control  over 

jiiin  11ISKS  i.ii;ii  iii'o  ii>:i4ii'ci  4iiiM>  iill:  cciiiiliiiici'  :is  iii'I'ch'm.  :xiiiwjii41 
pruj^'aiiiH  iii'j  geiioi'aiiy  is^va  luufrstiL  uiiiui[ugeiii4?riLui  uioae  mi?;. 
Tills  function  also  Is  often  respon^ble  for  controlling 


docutnentaticiii  related  10  ^rstem  soOwate.  appUcaCion  ptognuns, 
and  computer  opetadons. 

Computer  opeiadons  involves  peifOimli^  me  vailous  tasks  to 
operate  me  compmerBndpenpheralequqHneDL.  mciudn^  |ffoyidmg 
me  t^e.  disk,  or  paper  re 
Egist^ns. 

ProdtictlcBi  caniTOi  ana  s< 
tnforrnationintoJhrtmRli 

Has  (ask.  An  entitv  mav  hi 
re^xinsibie  tor  seeing  ma 
ui'isuni  anil  mat  an  <iuu)ii 
This  grouD  IS  usuallv  aiso  responsiDie  lor  reconciling  record  counts 
ana  coniroi  lorais  sucnuHca  dv  users  witn  similar  coums  anu  Tot^ 


96  requeEtedbv  tite  anpiieatiDn: 


le  and  disttlbttted  »n%«riy. 


ijsiiik!     liiiii.v.s  irLi;Lii]>sc>s  ;iiim  (i]u;Livisif  iiifULLhii'iMi'nL  Hvsii'rris. 

iNiFi.worit  iiiiiiiiriipanu.ion  irivoiviFS  rriiiinijuriiiui  fisiNriinf  iinii  nnifUM<> 
on-line  conununicatlonsiietmnlt  and  seivli^  as  llfdson  wltli  nser 
departmwts  to  itsdve  network  needs  and  piobiems. 

uont^uiaUon  tnanagentent  mvolves  controlling  and  documenting 
changes  made  Lo  a  ^sterns  hardware.  aofCware.  Grmware.  anu 


docutnentaticiii  thiougiout  the  development  and  operaticnal  Me  ac 
the  system. 


lie  fOllowli^  Indude  exan^iles  of  restilctloiis  that  are  generally 
addrES9ed  m  policies  aboot  segregabng  duties  and  are  achieved 
through  oigaiuzBtionBl  dmsiona  and  access  controls: 

•  :\pplicationaseis  should  not  hsve  arces.s  to  operating  fgotans  or 
^iphcalicRis  software, 

•  Pcograramers  should  nol  In        ni- 1  li'  ■  ■  ing  programs 

mto  production  or  have  :ii '  >'-- '   |i'<  <  I    i  htries  ordata. 

•  Access  to  operating svsli-'iiL  ilm  ijiiu'iilii,ii!i~Iiiili1(|  Ije  restalcted 
to  authorized  syEtemsproiu-jnmini!!  |x:rsoiuich 

•  Access  to  applications  system  documenlaUon  should  be 
resbicted  to  authorized  ^hcations  programming  persoimeL 

•  Access  to  production  software  Ubraries  *ould  be  restricted  to 
hbtaiy  man^ement  petsonneL 

•  Persons  other  than  computer  operators  should  not  set  or 
npprale  llie  prodiiclion  computer. 

•  Only  useis— not  computer  slatf—ahould  be  respcaisible  for 


Some  steps  mvolveri  m  processmg  a  transaction  also  need  to  be 
separated  among  ditterent  uidividuals.  For  esample,  the  folloB*^ 
ccanhmaOona  of  functions  diouldnot  be  perfbrmed  by  a  single 
Individual: 

•  Data  entiy  and  verification  of  data 

«  Data  entry  and  its  recmcilialiiHi  to  outpoL 

•  Inputitftransactioiisfbrmcon{iatiblepr(icessmgfunctions(for 
exanqile,  ugnt  of  vendor  invoices  and  purchaong  and  receiving 
mfoimation). 

•  Data  entry  and  siq>ervisory  authorization  funcliDns  (for  esanqile, 
BUtnonzmg  a  rejecteu  nanaacaon  a>  commoe  processn*  mat 
eio^ds  some  limit  reqiikb^  a  supervisor's  levlew  and  approval). 


Otganiiatkins  viiai  SnSled  resources  to  segregate  duties  should 
have  compensiitli^  controls,  such  as  sig>ervlsoiy  review  of 
transBctioiia  peifoimed. 


Job  descriptions  have  been  documented 

Documented  Job  descctptioiis  should  exist  iluit  i.'l<>!iilv  il<'st.'iibi' 
enadoyee  duties  and  prohibited  activities.  These  hlioulil  niiluiic 

TTie  documented  job  d^riptions  should  malcti  emiJlovees  assigned 
duties.  Also,  they  should  include  deflnitioiis  of  tlie  techiucal 
knowledge,  skills,  aod  abilitlES  required  for  successful  performance 
in  Hie  relevant  position,  and  should  be  useful  for  hirmg.  promolmg. 
and  performance  evaluation  purposes  In  additxin.  the  organizatJcai 
dtould  assign  B  risk  designaticm  to  an  poaoona  ana  EsiBDUsn 
screening  olteilafor  individuals  fllllng  those  posiCions, 


SD-1.8.  Enqiloyees  understand  their  duties  and  re^nsibilitles 

Eki^iloyees  and  their  supervlsois  should  undeistand  their 
re^xmsibilities  and  the  activities  that  are  prohiMled,  Ulliniale 
le^tonslblllV  for  tills  rests  wHh  senior  manageis.  They  should 
provide  the  lesouices  and  training  so  ttiat  enqiloyees  undeistand 
their  re^Kinsibilities  and  ensure  that  segregation-of-doties 
principles  aie  established,  enfotced,  and  instUuttonaUzed  vUhln  die 
OTguiteitlon. 


Ctmlrol  Techniques  and  Suggested  Aiidit  Procedures  B)r  Cntical  Element  SD-1 


area  could  allow  mistakes  to  occur  and  go  undetected  and  tiidlUate 
unauthorized  use  of  the  computer. 

SD^l.Fomial  procedures  guide  peisonneltnpejfonuli^lhpirdurip^ 

Detailed,'wilttenhistruci,ioiih~u.iiilrl  \-r  ii.lli.n,  lU-  jm.Ii'  i  ■■■]'.■  huh'I 
m perF«iiung their doDes.  Tlu'^i'  jii-til'  iinn^  ai'  -  -m  ■  i  Jl'. 
m^KJitanttbr computer opi-iuii MS.      cv.iiu]!.! ,  ckiuihiIit  oiirimor 
Instraction  manuals  should  prmKlfgiiiiiacu  p  "n  ^y.^ipiii  M;iri  ny  mhI 

status  reporting,  and  opeiatorfirohlbited  acthities.  Applkatlon- 
^■eciGc  manuals  (commonly  called  run  manuals)  should  provide 
additional  mstriKtuHis  for  operators  specific  to  each  qiphcation, 
soch  as  instructions  on  job  setup,  console  and  error  messages,  Job 
ched^mla.  and  restart  and  recovery  steps  after  systm  Mures, 
PperatoTB  should  be  prevented  from  overriding  file  label  or 
equipment  emu  messages. 


Snaa.  Active  si5«nFlsk»i  and  review  are  provided  for  all  peoonnel 

St^iervlsian  and  review  of  peisoimel  con^iuter  systems  activities 
he^  make  certain  that  these  activities  are  performed  in  accordance 
with  prescribed  procedures,  tliat  mistakes  are  conected,  and  that 
the  computer  is  used  only  for  authorized  purposes.  To  aid  in  this 
oversight,  oil  user  activities  on  the  computer  system  should  be 
recorded  onacliviiv  logs,  which  serve  as  an  audit  traiL  St^iervisois 
sliould  rouiuiely  rpview  these  activity  logs  fbr  incorr^jatlble  actions 

update  policies  when  operational  processes  change.  In  particular, 
management  should  penodically  review  activities  that  cannot  be 
controlled  by  phy^tal  or  logical  access  controls.  Such  activities  are 
^pically  controlled  instead  by  supervisory  oversight  and 
documentatlDn  showing  approvals  and  auOtorizations, 


Cmmil  Teclmiiiues  and  Suggested  Andit  ProcedureE  for  Critical  Element  SD-2 


3.5.  Contingency  Plamung  [CP) 


facUibea.  as  well  as  those  penoimed  bv  useis  oi  specific 
^quiciHioiis.  lo  deteraune  ntaner  recoveiy  plans  wiHwotk  as 
noenaed,  uiev  ^omd  be  teatea  penodtcallv  in  diBsater-simulBJion 
eicerclses,  FISMA  requires  thai  each  ledetal  s^encv  in^uement  an 
mforraalion  secmily  pn^ram  uiai  Induaes  "plans  and  procedureB  lo 
ifriKun!  i^iiii.inuii.v  ni  (iiHfnii.iciriH  ii}r  inioniiaudri  svnu^iih  iiuii, 
sopport  tne  opeiationE  and  assets  or  me  agencv.~ 

AUirnigh  often  lefened  lo  as  oisasler  recoverv  or  contingency 
plans,  controls  to  ensure  seivire  roni  iniiii,v  snoum  anaress  uie 
imiin}  nam}  in  iiciu^iii.iiii  MiHiiiiiiii»n^i.  [  iii^ii'       iiic'iinii'  nMniiviMV 
niinorintem5«ions,sucnas  tE'iiiDiiiiir,'  uuivci  [inmres,  as  wen  as 
m^r  dlsasteis,  sucn  as  nrea,  naiin-.n  (iL'iii.siei>,  :\nii  lerronain,  inai 
w(Miiii  rifiiMin'  nfi'.siJUMtJiMiti!  DhL'i^iiii^iis  ill  ,'i  ii'ini  .11'  loc'iiiioii:  ii 
iiiiETii  Ills*!  irKiiMur  irniii?;.  siicit  jis  ivriun:'.  uM'I  .'i  Liir  ii  ci^iiie'ms  jic 
Inadequate,  even  teiaiiveiviiiHiormietTLiDimiih  cm  rauii  m  use  or 

To  mit^alfi  service  intemipflons,  it  is  essential  that  Uie  related 
controls  be  unaerstood  ann  sunporled  dv  management  ana  staff 
(hiou^toui  ine  entltv.  Setiloinumagement  commitroeni  is  espedallr 
in^wrtant  to  ensnrir^  thai  adequate  resources  are  devoiea  to 


emecgency  plamung,  trainiiig,  and  i«Med  testing.  Also,  the 
Involvemeiit  of  data  and  process  ownets  is  tatteg 
planning,  as  they  tiave  first-hand  knowledge  of  their  data  and 
processes  andofthebistacttdalossofavallabilily.  In!iddltlon,al 
state  with  contingency  planidng  le^ionslbilltles,  such  as  those 
re^Kmaible  forbachmgiq^filesT  Bhoold  be  folly  aware  of  the  risks  of 
not  fultilhng  those  dudes, 

AssessmR  conluislciicv  pkiininR  controls  invoh  cs  evaluating  the 


!SS  the  triticaJity  and  sensitivity  of  computerized  Operations 

more  imijorliini  iliaii  for  other  oijerjlions,  and  it  is  not  cost  effective 
10  provide  the  sanie  level  of  continuity  for  all  operations.  For  this 
reasoQ,  it  is  inqxirtant  that  management  analyze  data  and  operatifflis 
to  det^niine  nhlch  aie  the  most  critical  and  nhal  resources  ai« 
needed  to  lecover  and  si^iKtrt  them.  Ihls  is  ttte  fiist  step  In 
d^ermining  ^lich  resources  merit  the  greatest  protecliau  and  what 


As  explained  in  SM-2,  FI^tlA  reijuired  MST  to  devekv  standards 
and  guidelines  tor  i^endes  to  use  In  categtaizing  fedeial 
information  and  information  systems  so  ageni^  can  provide  the 
qipropriate  level  of  informatiDn  security  according  to  a  range  of 
lisks.  This  infomtation  Is  usetulin  assessing  iteks  and  the  dttlcalily 
and  sensitivity  of  computerized  operations,  and  in  idenli^ing 


ions  IS  often  called  a  buBmeBS  plan,  and  it 
Lencyplanmng."  Fatt  of  business  planning 


1  eomponente  wiui  Uie  ctiucaJ  services  uia 
C9I  that  mfbrmation,  lo  chaiacteme  the  cxi 
1  components  were  to  be  dlsmpted. 


CP^l.l.  Cridcfd  data  and  operations  are  IdentlOed  and  prioritized 

Ttis  crltkaUw  and  sensitlviQr  of  vailou9  data  and  operatkns  snould 
be  detemuned  and  prioritized  based  on  secimw  CBtegonEalHHis  and 
an  overall  nsk  assessment  <f  the  enti^s  <i>erabons.  As  diacusaed  m 
sectloa  o.l.  Entltynlde  Securi^  Management  Progtam,  such  a  risk 
assessment  should  serve  as  tne  foundation  of  an  entity^B  securm 
plan.  Factors  to  be  considered  include  the  m^KiFtance  and 
sensitiviiv  of  ihe  data  and  other  organfaational  assets  handled  or 
proiecrpo  ovinc  indmduor  operations,  andlbecostofnoiirestonng 
dilT;i  "T  nrn'i;irinii',  iiiniiiT^riv  I'nr  i'\-;irniJIC.  a  1-day  miSITUptlOn  Of 

iiiiLior      ■![  ]!■.  I  ■■][■■(■!  lull    -.1-  Ills  ■■i-;i  loss  of  related  data  could 


sigmficaiitly  siovr  or  halt  receq»  ot  revenues,  aiimnish  controls  over 
minions  of  dollars  ui  receipts,  and  reduce  public  tnisL  Conversely,  a 
svsiem  iiiai  monnoTS  empiovee  traiiung  could  be  ouc  or  service  for 
m  riLinisiis  riuM-ii        I'lm  months  vfiaiouiserious  conseiuences, 

nil-Ill' I  -I'li^        1:11.1  Mii'iiaspeisonallnfOrmationonlndtvlduals 

ot  J. 'II  1. 1  coiiiractn^otja&ons.  mavreqEnre  special 

iM(i  II         ^.1  ■"ii-DMisionoinomifiLservice. evenifsuch 


LT 

Id 

5  mat  supuort 


iCicbI  operaUors  are  idenbiied  and  aiiaivzea 

Once  cnbcai  data  and  cqieraoons  have  been  deleiimned,  the 
minintum  lesouices  needed  to  sowort  them  should  be  identified 
and  their  roies  analyzed  Hie  resources  10  be  considered  mchide 
computer  resoiuccs.  such  as  nardwarc,  software,  and  data  files; 

 !  1;:  '-in'ii  IIS  I'lHiu'rs  ;mu  nn^wiiis; 


suppbes, 


Because  essential  lesouicea  aie  likely  io  be  held  or  managed  by  a 
variety  i>t  groups  wtthtn  an  entl^,  it  ts  fmportant  that  program  and 


CP-1  Related  MST  SP  800-53  Conlrols 


RA-2    Security  CaeBOrizaJon 


Cmmil  Teclmiiiues  and  Suggested  Andit  ProcedureE  for  Critical  Element  CP-1 


auch  sieos,  especially  impiemenune  ihorough  backup  procedures 
and  Installing  envltonmental  controls,  are  generally  Inexpensive 
to  prevent  relaFjveivminorprobiQiiB  from  becoming  costlv 
disastets.  In  parUculai.  an  entiiv  snouM  maintain  an  abiliQ>  to 
lestore  dataQles,  which  may  be  Inqrasslble  to  recteate  if  i09t  In 
additHm.  effecln^  maniLeriBnce.  problem  managemenl^  and  change 
management  [Or  hatdware  equipmeni  will  help  prevent  unexpecced 
Intenuptions. 


2,4)  to  achieve  uie  audit  ohiectives,  consiaering  tlie  is  contiols 
idenliBed  bv  tne  auditor  as  significant  to  the  audit  olyectives  le 
mtemal  conuoi  over  Gnanaal  reporting). 


iJifS  and  replacing 
luiS.  And.  data 
0  the  direct  costs 


i\  iinmrjirri  sniMiiu  iiiMii  fimv,  lor  n'miifiiiv  Diiritiiiv  iii)  coinoiiiifr 
Gies.  mciudm^  master  tiles,  iransaciion  tiles,  application  programs, 
svstem  soitware,  and  database  soiCware,  and  for  stonng  these 
backup  copies  secureiv  at  an  oft-sue  location.  iJiioosn^  a  location 
d^endsoatneparhcular  needs  of  tne  entity,  but  m  general,  the 
location  dwuld  be  for  enough  airay  from  <i>e  pilmaiy  location  thai  It 
willbe  protected  &om  events  such  aa  fires,  storms,  eiectncal  power 
outages,  and  terronsmtbatm^occiirto  the  primary  location.  In 
addltirai,  it  should  be  protected  from  tmauthoilzed  access  and  from 


Hie  fi«iiuencv  wilh  which  files  snould  be  backed  up  depends  on  the 
voluioe  and  tlmli%  olUansactioiis  that  modin^  the  data  flies. 
Generally,  backmg  up  files  on  a  daily  basis  is  adequate.  However,  if 
a  !3«tetn  accotinis  for  thousands  of  tiansacnons  per  day,  it  may  be 
^ipropriate  to  back  up  flies  several  times  a  day.  Ccnveisely,  It  only 
a  few  transaclicHis  are  reeorded  every  week,  liken  weekly  backing  up 
of  files  may  be  adequate. 

File  back  op  procedures  snould  be  designed  so  that  arecent  copy  is 
always  available.  For  exan^.  new  data  foe  vec^ons  should  be 
recerved  at  the  ofF-srte  siorage  lcx;ation  before  the  dishs  or  t^iea 
containing  prior  veisions  are  returned  to  the  data  center  for  reuse. 

Generally,  dala  center  personnel  are  responsiUe  fbr  rooljnely 
backing    files.  However.  Kcntkal  data  are  routinely  m^talned 
on  computeFS  that  are  not  under  the  control  of  daJa  center 
peisoruieL  then  responsibiutv  for  backuii!  up  this  mfoimation 


nif  nriiiit'iL  I'oiLLijiLK'i-  I'.iiier.  aiia  essfnual  legal  lues.  Aldiough  a 
review  o[coniinitfi-ic Lilted  controls  focuses  on  eleclronicaHj 
riiiiiiuiiiie<]  iiiiiM.  Lt  IS  mi[jort3nt  that  cntical  paper  documents  also 
oe  copied  aiitl  sioieti  remotely  so  thai  thev  are  available  what 


al  controls  have  been  hDplemented 

Ekiviiomnental  controls  pi«vent  or  mitigate  potential  damage  to 
fedbhes  and  mtemflitionB  m  service.  Esarniles  of  environmerlal 
CMitroIs  include 

•  fire  exifliguishers  and  fiie-si^ression  ^/stemE: 

•  Ore  alarms; 

«  smoke  detect«^ 


•  emergency  IjghCins 

•  redundancy  in  air  cooling  systems; 

•  backup  power  suiqilies; 

•  existence  of  sliut<rff  valves  and  (irocedures  lOr  any  bulldlnx 
phmdnng  Imes  lhat  m^  endanger  processing  ftcdibes: 

•  processing  fecUiliesbiiiltwlthfire-resistMit  materials  and 

designed  lo  reduce  the  spread  of  Rre:  and 


canbpi  ciiiedied  Alan,  immteraptlble  or  bacfciji  power  supplies 
can  caiTV  3  lacility  tlimuch  a  short  power  outage  or  provide  time  to 
bjick  up  djita  and  perfom  oiderly  shut-down  procedures  dum^ 
extended  pov^ei  outages. 

CP-is.  Staff  have  been  trained  to  re^Kind  to  eme^endes 

Staff  should  be  tramed  m  and  aware  of  Hieir  responsibilities  m 
preventing,  mitlgatuig,  and  re^ndmg  to  emergency  ffltuaUms,  Fat 
example,  InfomiaCion  security  support  staff  should  receive  periodic 
training  m  emergency  £re,  water,  and  alarm  incident  procedures,  as 
weO  as  in  ttieu  responsibihtics  m  starling  op  and  runrm«  an 
alternate  data  processing  site.  Also,  U  outside  usere  are  eritlea!  to 
the  enti&'s  operations,  they  should  be  intomied  of  the  steps  they 
may  have  to  lake  as  a  result  of  an  emergency. 


entity  to  Incoipotate  into  (he  contii^ency  plan  steps  lor  anangu^ 
HMiging  aim  meaiB  or  any  ouier  mcmties  or  services  cnar  may  ne 
needed  to  accommodate  eBsentialpersameL 


pmblem  managemenl.  and  change  managanait  help  prevent 

Unexpected  service  Interraptkma  ran  occur  frtan  hardware 
equqanent  ^Ihires  oi  from  changing  eigapmenl  nllhout  adequate 
advance  notiflcatkm  to  system  users.  To  prevent  such  occuirences 
requires  an  e^ctive  program  for  maintenance,  problem 
management,  and  change  man^ement  for  hardware  equipment. 


^ihireB.  VendoT-BUi^ihed  spc  I ,  i    'n-  I  n  i '-  i      i  In 

frequency  and  type  of  p^evetllL^  !■  in  h,  |.'  i  h.  I 

Such  maintenance  should  be  sclu'duici]  mii  [LiiiniHTEii  jibLiiinu/p  ihe 
mipact  on  overall  operations  ajid  on  criljcal  or  sensilive 
^phcations.  SpecjficalJv-  peak  workload  periods  should  he  avoided 
M  maintenance  peifonned  should  be  documenled,  especially  any 
unscheduled  mamtenance  that  could  he  analyzed  to  identity 

solution.  Fleirlbllii,v  should  beripsisneil  inui  the  data  processing 
operations  to  accommodate  the  reqiured  preventive  mainleiiance 
and  leasonablv  expecled  unscheduled  mainlenance.  For  critical  or 
sensitive  ^iplicaDons  (hat  require  a  high  level  of  system  availability, 
the  Bopnsition  and  use  of  spare  or  backup  hardware  m^  be 


EfFeclne  problem  management  re^ores  trackiiig  service 
peifOimanceand  documenting  problems  encountered  Goab  ^ould 
be  estaUished  by  senior  management  on  the  av^lability  of  data 
processing  and  on-hne  service.  Reconb  ^ould  be  maintained  on  the 
actual  performance  in  meeting  service  schedules.  Problems  and 
delays  encounteieiJ,  Ihe  reasons  for  the  problems  or  delays,  and  the 
elqised  tune  for  resolution  should  be  recorded  and  analyzed  to 
ident%  any  recuirlr^  pattern  or  trend.  Senior  management  should 
penodually  review  and  conqjare  the  service  performance  achieved 
with  the  goals  and  survey  user  departmenlG  to  see  if  users'  needs  are 
bett^roet. 

unanges  to  naitiware  equgsnent  and  related  softnai«  should  be 
scheduled  to  miniraiie  die  impact  on  operations  and  users  and  allow 
for  adequate  te^mg  to  demoosliate  that  they  will  worti  as  e^cted. 


Advance  notification  snould  be  given  to  users  so  that  service  is  not 
unexpectedly  Intem^ited. 


Conbngencv  Traiiung 
Alternative  Storage  Site 
Alternate  Fiocessiiig  Site 


in  system  Recoveiy  and  HecoosOtulion 


Critical  Element  CP-3.  Devel»q)aiiddocmnentacoii:^nehenave  contingency  plan 

A  contlngencv  plan  or  suite  of  related  plans  should  be  developed  for 
restorii^  cnlicul  millcaUonf^  this  mcludea  airai^ements  for 
BhemativeprcKessing&cililiES mease  the  usual  fecilitiesare 
^gnfficautly  damaged  or  cannot  be  accessed,  Agency/enutj'-level 
pohci^  and  procedures  de^e  Ute  contmcenev  planmu;  praeess 
and  docunieniaiiou  reaiiireniems,  F\jnliermore.  an  i?mn™noe  piau 

or  related  piai  IS  ]i  i-  ■  n  i  'ii  ■-■  iii.r'^  r.  


distupjions  aiteeung  Hie  otgantzaOon  s  n  sisiems.  nusuiess 
processes,  and  the  focihly.  Becaise  tlierc  is  an  mheient  relationship 
b^ween  an  IT  ^stem  and  the  husmessproceBB  it  supports,  there 


^lould  be  cootdiiiatioii  between  each  plan  duiine  development  and 
updates  to  ensure  that  lecoveiy  strategies  and  siin>ai1ing  lesoiirces 
Dither  ne^te  each  otlker  nor  dnplicBte  effbrls. 

TTie  HIST  SP  800^  CottH'ttiiencti  /tonnfnu  GiMe  for  Infonrnlion 
Tediaolagy  ^leiai.  discnases  tiie  types  of  coiitmgencv  plans  that 
ano^nnizalioQiiiightnseandhowlhey  relate  to  each  other.  Bmce 
there  Is  no  standaid  definition  foi  Htese  plans,  they  may  vaiy  from 
organization  to  organization  To  provide  a  common  basis  of 
understanding  for  FF  contingency  plmmmg,  Jnst  developed  the 
de&c^tiona  shown  m  the  table  below. 


kiuinledge  ot  ei^rtiM  of  ime  or  two  individuals,  ft  anouM  identic 
and  provide  tatfoimatlon  on 


•  .I'l.iii".''  '  ii",i'iii't  h'i'KM'iv  iiv'ili.iLinaiultiavel 

•  off-site  storage  kioalion  for  backup  files;  and 

•  procedures  for  lestodi^  ciltlcid  ivfilkatltHis  and  their  cider  In 
tlte  restoration  process,  (Bee  section  CP-L3  Kn-addMonal 
infoimalion  on  emergent^  procefising  priorities.) 

Moll^le  copies  of  the  contingency  pl9n  should  be  av^lablef  with 
some  stored  aC  off.dte  locations  to  make  sore  they  aie  not  destroyed 
by  the  same  events  that  made  the  primary  data  processing  ^ilities 


CF^3.2,  Anangements  have  been  m 


immediate  backup  service,  referred  to  a 
unequipped  site  tiiat  will  take  some  lime 
lefeired  to  as  a  "cold  site,"  In  addition,  i 
be  prearranged  with  vendors.  These  iiiol 
with  siqipfaeis  of  computer  hardware  ar 


and  risks  should  be 
considered  in  deciding  iriiat  Ijrpe  of  alternate  site  is  needed 
However,  it  should  be  geographical^  lenioeed  from  the  oiiguial  site 
so  that  it  is  protected  from  the  same  events,  hi  addition,  the  site 
SkbiM  have  ready  access  to  Hie  basic  utUBies  needed  to  resume 
operations,  such  as  electnd^,  water,  and  telecommunications 
services,  hi  swne  cases,  two  or  more  entilies  may  share  the  same 


rnipoitant  weaknesses  m  then  plans,  such  as  backup  taciknes  (tat 
could  not  adequately  teplkat£  ciltlcal  operations  as  anticipated. 
Hirough  the  testing  process,  these  plans  were  substantially 


CP-4.2.  Test  results  are  analyzed  and  the  contingency  plan  is  adjusted  accorduiEiv 

Contmgeocy  test  results  provide  an  important  measure  of  the 
feasibOi^  of  the  contli^eticv  plan.  As  such,  Uiev  should  be  repotted 
to  top  mani^eTnent  so  thai  the  need  for  modification  and  additional 
testing  can  be  determmed  and  so  that  top  management  ts  aware  of 


the  risks  of  continuliig  operations  with  an  inadeiiKite  contingenci' 

Any  testily  of  contingency  plans  Is  llkel;  to  ident%  weaknesses  In 
(he  plan,  and  it  is  inqiortaDt  that  the  plan  and  related  auppoFting 
aclnitieB,  such  as  training,  be  revised  to  address  these  iveaknesaes. 
Otherwise,  the  benefits  of  the  testing  wlU  be  mostly  lost. 


Control  Techniques  and  Sl^gesled  Audit  Procedures  tor  Critical  Element  CP-4 


I  CP-4  Related  NIST  SP  SUDJiA  Con 
CP-4  Contingency  Plan  Testing 
I  CP-6  Continaency  Plan  Update 


Chapter  4.  Evaluating  and  Testing  Business 
Process  Application  Controls 


4.0  Overview 

Business  processes  are  the  princ^tiil  tuncUons  used  by  the  entlt;  to 
accon^liBh  lis  nuBaoD.  Eson^les  of  ^Icalbuaneesprcxxssesm 
giTcemnient  entitles  Include: 

•  MiGaon-relBtei]  processes,  tjipicaUy  at  the  program  or  sub- 
prc^ram  level,  such  as  education,  public  health,  lav 

•  FiiiancialiinBnBgementprocesses,sucha9Collectiona, 
disbursements,  or  payroll;  and 

■   Other  suiq>artprocesses,eu<^as  human  resources,  or  proper^ 
management,  and  secmily. 

A  bufdness  process  qipUcatUm  Is  a  combination  of  haidifate  and 
software  that  is  used  to  process  busmess  infonnation  in  support  of  a 
qrecific  busmess  process. 

Business  process  qiphcation  level  controls,  commonly  referred  to 
as  "application  level  controls'  or  "application  control^,  are  those 
controls  over  the  completeness,  accuracy,  vaUdlty,  eonfldentlaii^, 
and  availabihtv  of  transactions  and  data  duimg  appbcation 
processing.  The  effectiveness  of  application  level  controls  is 


objectives,  the  auditor  should  coordmate  the  planning  and  testing  of 
soch  controls  ivlch  aitpUcation  level  controls.  Foi  encanqile,  if  a  data 


coordinate  the  planning  of  testing  of  the  entiCywide,  Egstem,  and 
apflSeMiM  level  contiols  iissodzited  nith  the  data  management 


hithis  chqiter,  applicatiffli  level  controls  are  divided  into  the 
foloning  fbur  control  categories,  >^ch  are  described  in  more 
detail  below: 

(1)  Application  level  general  control^ 

(2)  Butiness  Process  coaliols; 

(3)  bter&ce  control^  and 

(4)  Data  Managanent  Sjfitem  controls. 

Hie  auditor  should  assess  the  efiiecliveness  of  cmliols  in  eaidi  of 
the  four  control  categories  to  the  extent  they  are  slgnlflcant  to  the 
audit  oljjecliveB. 

AivUcatloa  lenel  general  controls  (referred  to  herein  as 
"^ipHcHtion  security^  orAS)consiBt  of  general  controls  <^>eralirig  at 
the  business  process  ^plication  level,  Includli^  those  related  to 


segi'Gg^Llion  of  duties,  and  contingeni?  planning,  bkthis  ch^ter,  the 
general  con  irol  activities  discussed  In  Chapter  3,  as  well  as  related 
suggealed  control  reoliniques  and  audit  proeedmes,  are  tailored  to 
the  business  process  ;ipplication  level. 

cootrob  ^plicd  to  business  transaction  flows,  Thty  relate  to  the 
completeness,  acciimcy,  \aliriJt>'  and  cnnlirlentialily  of  transactiona 
and  data  during  appJicalion  processing.  They  typically  cover  the 
structure,  policies,  and  procedures  that  operate  at  a  detailed 
inisiness  process  (cycle  or  transaction)  level  and  operate  over 
individual  transactionB  or  activities  across  buraness  processes. 
Specific  control  areas  of  business  process  controls  are: 

•  TraisactiDa  Data  Inpnt  relates  to  controls  over  data  that  enter 
the  ^ipUcation  (e«,  data  validation  and  edit  checks). 


•  Tmnsaraon  Data  Processing  telxtea  to  controls  ovei  data 
Integrl^  wtthln  the  spplicaUcm  (e.g..  review  of  transaction 
prcx:es9iiig  Ic^}. 

*  TrBHHBCtfoH  Data  OidipBt  relatES  to  controls  over  data  output 
and  distriboDon  (e.g,  ouQmt  reconcdiBtum  and  revKVr}. 

>  HaBter  Data  aetap  and  Haliiteiuiice  relatesto  controls  over 
ntastei  data,  the  kevlnfoimatlon  that  Is  relatively  constant  and 
sharedbetweenniulHiiefiiiictii»i9or^iplications(e.g..  vendor 
file). 

Interbce  cnnCrola  (IN)  cmsiBtOf  those  controls  over  the  a;) 
timely,  accurate,  and  c<Hivilete  proces^i^  of  Infonnatlon  between 
^jplicatiooa  and  other  feeder  and  receiving  systems  onan  on-^olng 
basia.  and  b)  con^ete  and  accuiate  migration  of  clean  data  duruig 


cauea  middleware),  data 
I'iiirniniiscMi.wjini.  iitwi 


For  each  of  Ite  four  ayijliiat ion  uontrol  categories,  this  chapter 
Ideiillfies  several  critical  elements— lasks  Oiat  are  essential  tor 
establishing  adequate  controls  within  the  category.  For  each  critical 
element,  there  is  a  discusfdon  of  the  associated  ohiectives,  lisks,  and 
control  activities,  as  well  as  potential  control  tedmlqiies  and 


sdffiesled  audit  Dincedures,  t  or  each  critical  element,  uie  auditor 
^uuld  make  a  summaiy  deteimlnatlon  as  lo  me  ettecttveness  oi  me 
ifniii.vs  nfifiu^i  iinni,n»t!4  in  lu^niovinkiinif  ctii.ic^^u  oiifinifni.  ii  iiii> 
contiols  lor  one  or  maie  or  eacn  categorvs  critical  elements  are 
Inettectlve.  then  the  controb  lOr  the  entire  categoiy  aie  ntrt  Ukely  to 
be  effectiTe.  like  ammor  anouia  use  proiesaumal  luuginent  m 


nm  oummm  uv  inf  auuiiur ' 
ivn.  AiKiiuira  KiiDWK'aia'iii 
I  level  secunQ' m  ddi^rem 
to  identtfjlng  and  traOng 


ASiKitixi  viinier, inuuinxiivunissiii  iiuniHsiiKin  levciisjiiiruis iw 
aq>enaent  on  me  etiectiveness  ot  entri^wiae  and  system  level 


general  conlrols.  Weaknesses  in  «itilywide  and  system  level  general 
controls  can  result  In  unautboilzed  changes  to  bu^ness  process 
B{4ilications  and  data  (confidentialily,  int^rity^  and  availability)  that 
can  circumvent  or  impair  the  efliectiveness  of  business  process 
^ipllcatloii  controls.  More  ^>eclt]cal]}', 


aasessment  of  and  TEsponse  to  infoimaJlon  securi^  nsks  related 
to  the  busiaess  proccGS  appUcaddnB  and  the  systems  on  which 
the;  depend,  as  well  as  ^gnlficantly  increase  tt>e  rkk  that 
qiplication  level  and  other  cxmlrols  are  not  con^stently  applied 
in  accoidance  «lth  manaeetnenfs  policies. 

I    Weaknesses  in  access  controls  canresult  in  unauthorized  access 


i.  includingtheoperation  of  the  related 

(laifl,  uioliirlinK  alter  the  control(s)  were 

LDonenis.  which  can  lead  to  unauthorized 
ilatiiandapphcations, 

ifiSiiration  mana^ent  can  result  in 


*   Weaknesses  m  contingency  planmng  can  result  munavBdabiHty 
of  appbcabons  and/or  loss  of  apphcabon  dala. 

Hie  fbllowmg  table  ilhistiales  tlie  relationsbQi  between  busmess 
process  appUcalitai  level  controls  and  general  controls  a*  the 
entitywide  aud  system  leveL 


:::r 

M.,„.«,.,o,.,n 

— 





4.0.1  The  Auditor's  Consideration  of  Businoss  Proooss  Conlrol  Objoolives 


The  overall  objectives  of  business  process  application  level  controls 
ate  to  provide  reasonable  assiuance  about  the  eompleteixess, 
accuracy,  validity  and  confidentiality  of  transactions  and  dala  during 
^SiliCBtiiinSrocesaing.  Bach  specific  buSineES  proceEB  Control 
technique  is  deigned  to  achieve  one  or  more  of  these  otijeictlves. 
TTie  etfectivenesB  of  business  jffocess  controls  depends  on  irtiether 
an  of  these  overall  objeclives  are  achieved.  Bach  objective  is 
descilbed  in  nmie  detail  bdow. 

Completeaess  (O)  controls  Elioald  provide  reasonable  assurance 
that  all  transactians  that  occurred  are  ir^iut  into  the  astern, 
accepted  for  processing,  processed  once  and  only  nice  by  the 
system,  and  properly  included  in  ootpuL  Cort^leteness  controls 
include  the  followlt^  key  elements: 


rejected  transaolions  are  identified,  comeled  and  re-processei^ 


■   an  transactions  accepted  by  the  system  are  processed 
completeLy. 

totals,  sequence  checking,  matching,  dupLicalc  clK'tking, 
reconciliations,  control  totals  and  exception  repmi  ing. 

AccaniCf  (A.)  controls  shotdd  provide  reasonable  assurance  that 
transactions  are  properly  recorded,  with  the  correct  amounfdala, 
and  On  a  timely  basis  <m  the  proper  period];  key  data  elements  ir^Mit 
for  Iiansactlons  are  accmat^  and  data  elements  ate  piocessed 
accurately  1^  ^pBcations  that  produce  reUable  reauBs;  and  output 
is  accurate. 


Accuracy  control  leclmiiiues  include  programmed  edit  checks  (e.g., 
viilldaClons,  reasonableness  checks,  dependency  checks,  existence 
checks,  format  checks,  mathematical  accura^^,  range  checks,  etc), 
batch  totals  and  check  digit  verification. 


te  real),  relate  to  ine 

ii'ioidjiiii'ii  Willi 

Mil  ■  niiijiiiisoriiv  vniiii 


Aniloblhl;  controls  should  provide  leasonaoie  assurance  that 
^ipucBtlon  data  anu  repons  anu  omer  relevant  nusmess 
mfoirnanon  are  readdy  avadabie  to  users  when  needed.  These 
controls  are  pnncipalli'  aaaressea  m  aniiiication  secuntv  controls 

^cific  Duamess  process  controls. 

The  con^ueteness,  accuracv.  anu  validity  controls  relate  lo  the 
overall  integrity  ooiectlve.  Hie  avallabilitj'  obiectlve  la  addressed  as 
part  01  appication  levei  general  controls  in  AS-B. 

40.2  Steps  in  Assessli^  Business  Process  ^plication  Level  Controls 


sectlai  provides  supplemental  Implementation  guidance  with 
ieq>ect  to  plaiuiliig  the  assessment  ofbu^lnesspracess  applicstlm 
level  controlaand  should  be  ^plied  in  coiuonction  withCh^>ter2. 
Consistent  vrith  Ch^Mer  2,  the  assessment  of  business  process 
^jpllcatlon  level  controls  includes  the  following  steps: 

•  Plan  the  Information  system  contiols  audit 

•  PeifOim  InfomuititHt  ^stem  contiob  audit  tests 

•  Bepoit  audit  resnlls 


the  initial  planning  phase  are  to  identify  sigiiiUcaitt  issues,  assess 
risk,  and  design  efficient  and  effective  audit  procedures.  To 
accon^lish  this,  the  auditor  perfomis  the  followit^  steps,  which  are 
re  detail  m  Chapter  2: 


and  key  business  processes 
general  understanding  of  the  structure  of  the  enti^s 

St  (liles,  applications,  systems, 


Ohtain  a  preliiiiinaij  understanding  of  business  process 
application  level  controls 


PeifOrm  other  audit  planning  procedures 


Hie  fOllowii^  dlsciEsion  provides  additional  audit  conddetations  as 
Ihey  apply  to  application  level  controls. 


4,0^AUnderalBndthe  overall  audit  olyectives  and  related  scope  of  the  busiitessiffDceGEapplicHlion 
control  assessment 

Tbt  auditor  snouM  obtain  an  understanding  of  me  otjecClves  or  the 
^fiucatiDn  control  Bssessnent  Hie  nature,  tmnng  ana  extent  or  me 
Budiiors  procedures  to  assess  the  effectiveness  ot  ^phCBtion 
controls  vary  dependir^  upon  flte  audit  otijectives. 


a  broad  assessment  oi  inloimatlDn  ssistem 
iitvwfde.  system,  and  application  levei 


As  noted  in  Chapter  2,  it  aoiiieiiiig  [he  audit  otijectLves  does  not 
letpilre  an  oveiau  conclusion  on  is  i^onirois  or  reiaws  oniv  lo 

woiuu  iiiii,  iiiiyinsiiriiv  iiii'iiiiiv  !iii  suuiiiicuiii  iftcoiiirui  wisikiiiwi's 
that  mav  exist.  ConseqiienHj,  ifine  audit  ohieclivea  only  relate  to  a 
snbset  <tf  cimtrols,  such  as  only  iHEdncss  process  controls  tor  a 


Et>ecitic  ^licatiai,  the  aoditor  ^uld  evaluate  ttie  potential 
lumtations  of  the  auditor's  KOik  on  the  auditor's  report  and  the 
needs  and  eitpeclBtiDiiB  of  users.  The  auditormay  determine  that, 
because  the  limilationa  are  so  significant,  the  auditor  wiH  (1) 
conununlC!it«  the  limitations  to  Ihe  man^ment  of  the  audited 
enti^.  those  charged  with  govemance,  and/or  those  requesting  the 
audit,  and  (2)  clearly  report  such  limitations  on  the  concheiiais  in 
the  audit  report.  For  example,  in  reportmg  on  an  audit  Bmiled  to 
bushiess  process  controls  within  a  business  process  application,  the 
auditor  may  determine  that  it  ia  ^ipropriBte  (o  clearly  report  that 
the  acijie  of  the  BasesBmert  was  birated  to  those  business  process 
controls  ana  that  conseqiienUy.  aadtUonal  biformatfon  sjistem 

■n-^n        ■f  h        Irinr  ff  nenessof 


4.0.3:8  Understand  the  enti^s 


transaction  fioivs  {detailed  studj'  of  tlie  entity's  internal  controls 
over  a  particular  category  of  events  that  identifies  all  key 
pmcedutes  and  controls  relating  to  tJie  processing  of 

application  and  software  module  interaction  (transactions  leave 
one  system  for  proces^ng  by  another,  e.g  payroU  time  card 
Intei^ices  with  p^  rate  file  to  determine  salai?  infoimatkin). 


OMainuig  tins  undetslaiiding  is  essential  to  assessor  mibmiatioii 
system  risk,  undeistandh^  ^Ucatlon  controls,  and  developing 
relevant  audit  procedures. 

The  concqitof  matenali^/BigiuGcance.  discuBsed  m  Qiapter  2,  ca 
help  the  auditor  deternune  irtnch  ^phcationB  are  signifiCBnl.  or 
key.  to  the  aodlt  objectives. 


lii^  of  the  stmcture  of  the  entftvs  of 


The  auditor  should  obtain  an  understaudins  < 
and  systems  that  are  used  to  support  ihc  ki'\ 


with  opeiaiu^  svstem  and  network  security.  Obtaining  such 
an  undeistandlng  Is  hoportant  to  IdenCitr  those  conttols  Ihiit 
aie  necessiu;  to  leasonably  assute  that  unautboilzed  access 
to  kev  ^plications  and  data  files  are  prevented  or  detected. 


4.0.3  J)  Identic  ke;  areas  of  audit  interest  ffiles.  apphcations.  svstems.  kicatlons) 

Based  on  the  audit  obiectives  and  the  auditor's  understanding  of  tlie 
Inisuiess  processes  ana  networks,  Oie  auditor  shouM  identdly  kev 
areas  of  audit  mterest  including! 


4.0^  j;  Assese  informali 


4.03  J  Weoatr  cdtlcid  conttol  points 

A«  (iiiji.iKSi.'u  III  (.iiiuiiiur  2.  uiuaiKiiiureinDiiKi  iiioniii  v  iinii  iiih^  >ni. 

i:rii,ii:ai  niriutu  noiELLairi  uip  erii.iLv^f  iiikikiihIi.iuii  f<vihl^iiif<  itiiii  nev 
auunuiUKinii.  dusmuuti  [jiu  aiKiiiorsuiiui'rsiuiiiuinu  i>i  uiK'n  sv.'jwiiiu 
iirici  ]ii>uiii^iLLii}iH.  Kifv  jm>»iKiii  nuniL  ini.onisi.  imci  m  usif.  niisifir  on 
iiiinriiinucirLiuMHiiiien  iiuniic  niiuii  nijuiiiiriii.  uie  NiiiiiLni'  iueiiLiiLi"s 

cui)iiiit:ui,inriKiriiu.  iirc>.>4iuniiic'iuii.  id  uy)  fliimii.  nhkin.ivi's  iiriii  kkw 
areas  ot  audit  interest).  i,naciu  control  nouits  at  tne  aoDUcation 
icvwiiin  UI1II1IKIII  u.w;ni.ii;!iicoiiiii.)i  iiiiiiii.'j  tii  i,ni>Mvsiuin  iiwiwniri! 
iniKfl^  iioiiiiM.  WMK7I II  iioiii[>r<iriiLsi'ii.  roiihi.sihrnuirFLniiv  iitiiK^L  irii' 
miegntv.  contiaentiality.  or  avEulabililf  of  Kev  Duress  process 
s^pacslkira  or  leiatea  dala  Crintal  control  points  at  me  ousiness 

linxUMj  lllllllK^lll.KIII  K>VI.'I  kVIIICIUiy  IIKIIIUII IIMIIICIIIIIMI IIMUI  lll^llljnu 


lioatiotis.  Typical 

iMLSirh'.s.s  [hrmii'ss  UDiiiii^Fiiioit  ii^wA  I'nniroLS  >uv  Fusitlied.  Aslhe  aodlt 
testing  Drocefiis  ana  tne  auuiior  gains  a  better  undeistandlng  of  the 
appaxMixa,  plication  fuiicQonallt]r.  controls  within  and  outside 
itficji  ]ii}iMic^!ii,ii>ii.  (^nni.n>i  wiFfiKniM!4i44.  iirici  n^uiiifu  rials,  the  auditor 
snoulo  reassess  ana  reconsiaer  we  crlucal  control  points. 


4.0.3.G  Obtain  a  prelimlnaty  u 


lU'immiifu.  11  i.iu:  ;4ss<'SHnii'iM  iti  jiiM>iir:ii.iiin  c:iinin>lsi5perfoiTiied 
111  ixituiivuiiti  wiiii  a  luianiiai  aixiir,  tiie  aiiiuioi  miould  assess  the 
etfecUveness  oi  those  contiob  thai  aie  identUled  by  the  financial 
Budilorlcontn^  ideaOBed  in  the  Soecific  Umlml  EcahiBtian  (3CB) 
Woilt^eet  in  ledetal  financial  audits)  and  other  related  controls 
ODon  iriiicn  me  effectiveness  of  ttiese  controls  d^end.  The 
n'jSEyirisiiJiiii.v  iii  iiieiii.iib  iiriniHiiiu  nFrKin.iiu!  <i(  trim  lis  reslsprimBrily 
with  the  tinanclal  auditor,  but  the  Information  systems  auditor 
^nuid  be  consulted  in  this  process.  Flnandal  reporting  controls 
geneialbr  include  both  m  controb  and  Drai-IS  controls.  Ilie  SCB 
WoriEsheet  Is  more  fully  discussed  In  section  396  H  of  the  Financial 
Audtt  Manual  (FAM). 


Data  management  s^istems. 


Fmoientlf  each  Qpe  of  c<aitioi  occius  witliln  a  business  process 
and  Bath  controls  are  mleriependenC,  The  auditor  should  consider 
ine  mieraction  between  eath  or  mese  types  <a  controls.  For 
eiarnue.  interiiice  and  daiamsnagement  conliois  are  inter  linked 
^nce  many  oi  ^  feeder  systems  reside  on  some  type  of  data 
mBnagemem  ^fSlem  whose  controls  muEt  be  efEeclive  10  ensure  tne 
imegnty  01  tne  dala  it  ni^lains.  mcloding  soaal  security  nimibers, 
vendor  names,  and  oflier  sen^tive  intematiorL  Farther,  interface 
and  business  process  controls  are  Unked  In  that  craitiois  snoiua  be 
estabhshed  that  ensure  tne  tunely.  accurate  ana  corrgiiete 
proceaamg  or  mtormation  between  tne  leeder  and  receiving  systems 
and  Hie  mainline  buSnessntocesses  inev  sunnorl 


ss  process  application 


inteiface,  and  data  nmnagcment  system  controls),  and  usur  cuntrois 
ccontrt^  performed  Dv  people  interacting  wim  uucrmaiion 
systems),  ijeneral  and  boainess  process  anpueation  conirois  are 
always  i»  controls.  Auser  control  is  an    comtoi  u  us  eiiectiveness 
depends  en  mformatitai  systems  processing  or  the  reliability 
(accuracy^  nHnpleteneas,  and  validi^)  of  irifOrmation  processed  by 
inforroation  systems.  Conversely,  auser  control  is  not  an  IS  control 
If  Its  effectiveness  does  not  depend  on  Inf oirnatlon  systems 


proceesiiig  i»  the  reliabilily  of  infbmiaQon  priKessed  b:;  in^^ 

Ati^t^oa  conttols  can  be  automated  or  manual  (sometimes 
referred  to  as  uaer  coittrol9>  Hie  auditor  mil  find  that  most 
busmess  processes  will  have  a  combinatKHi  of  automated  and 
manual  controls  that  balance  resource  requtrements  and  lisk 


coDtrobCatalllF  h  d        d  o 

blockatransa 

them  tuneher  in  preveiiung  an  unaesired  ouiconie.  For  example,  a 
vendor  mvoice  can  be  blocked  for  payment  auiomahcally  if  tne 
goods  or  services  aie  not  lecelved  or  If  the  payment  e::ceeds  a 
qrecific  thrEshold  and  requires  additional  review  and  ^iprovaL 
Manual  conlmls,  sudies  the  review  of  rqitsts  or  payments  over  a 
cert^  amount,  could  effecdvely  detect  an  Invoice  payment  wlthouC 
goods  receipt  or  a  higltdollar  payment,  bat  may  not  occur  in  lime 
to  stop  the  payment 

Hie  (veralmg  efFecdveneBS  of  an  automated  plication  contrcd 
durit^  the  audit  peiiod  also  depemte  on  the  operatb^  effectiveness 
of  related  general  controls  (at  the  entilywide,  system  and 
^phcations  levels).  For  exan^le,  eEEeclive  general  controls  aie 
>reven:  or  delect  mam^ement  ovenides  or  oftier 
unauthorized  changes  to  con^itter  applitalions  or  data  that  could 
yiEtiuut  oi  anpairlhe  operation  of  the  automated  conlroL 


Automated  contrals  can  be  fiuther  subdivided  into 


I  Inherent  Controls  aie  those  that  have  been  haid  coded  and 
built  into  the  q^ihcaticn  logic  and  cannot  be  chenged  br  end 
iseis.  The  self-balaneiog  c^bility  provided  br  stane 
^[Icanons  is  an  exanqde  of  an  inherent  control  {e^.  In  a 
Gnanoal  ^iphcBtion.  the  transaction  will  not  post  iintd  debits  = 


EEP  svstems  Bv  desiRn  aie  Extensible  Business  ReporUng  language 
(XBRL)  compliant,  which  means  that  thev  can  be  configured  to 
prepare  repoits  based  vpoa  standard  rules  or  taxonomies.  The 
anditor  anould  iindersiand  the  naJuFe  and  extent  of  ar^  XBRL  use 


Iheretore.  rnav  be  usea  either  in  situations  where  ideal  controls, 
sDCh  aa  ccinplete  segregation  of  duties,  cant  be  mgilemented  to 
prevent  something  from  occunt^  or  when  manual  conttols  ofter 
an  effective,  costeffeclive  control  optkm. 

Manual  controls  require  human  involvement,  iisuafe  by  wsy  of 
^firoval  of  a  critical  step  m  a  busmess  process  (examine:  signed 
purchase  lequisition)  at  reviewing  for  exceptions  and  cong)hance 
by  reviewii^  sjateni  oq^iut.  Generally,  the  auditor  consideis  and 
tests  manual  controls  along  with  automated  controls.  Testing  only 
one  type  ol  ^lilication  control  may  lead  to  incorrect  assessmeiu  ol 
key  controls  management  may  be  reding  on. 


i^re  should  be  adequate 
iionoUy  (for  example,  a  review 
iwers  cfflnpenaaJion  is  based 


re  and  ^lalOy  of  Ihe  im 


ifolume  of  goods  shipped. 


Moniloiing  aC  capital  «xp«ndilnrea  via  a  ijuarterly  report  that 
analyzes  expenditures  by  d^artment  with  comparisons  to 


4.0^,H  PerlOiiii  ottier  audit  plai 


4.0.4  Perform  Information  System  Controls  Audit  Tests  of  Business  Process  Application 
Level  Controls 

Hie  auditor  s  assefsnent  of  qipiication  controls  has  tm>  maui 
aspects:  tesdng  the  effectiveness  of  controls,  and  evaluating  the 
results  of  testing.  The  process  of  testing  and  evalualiiMi  are  planned 
and  scoped  durmg  lite  planmng  ptiase,  as  discussed  m  Chapter  2,  A£ 
the  auditor  obtains  additional  bilomaUon  dut&ig  control  testing,  ttie 
auditor  should  penodnslly  reassess  the  audit  lian  and  consider 
wheflier  changes  are  ^propnate, 

Thi?  iiiiditnr  KiiiniKl  iHTfumi  the  Ibiiowing  procedures  as  part  of 
u'^i  in  '.  .1   I     nil  II  III':  uii'  elfectiveness  of  ^pbcation  level  controls: 

•  ii.k  "  "         I' I  I.  II  mil  >jvstenis  relevant  to  tlie  audit  otyecoves. 

I 'I  II  III!  I  m  I'll  UK':  I II II  a)  ion  of  kev  areas  of  audit  interest  and 

•  Determine  which  IS  control  techniques  are  relevant  to  the  audit 
ohiectives.  The  control  categories,  cnOcal  elements,  and  control 
activities  in  Chapters  3  and  4  are  geneially  relevant  to  aD  audits. 


However,  if  Qie  auditor  is  not  peribiming  a  compiehensive  audit, 
foi  example,  an  an>licabDn  review,  then  tJien  may  be  no  need  to 

^ant  iS  contioitechniiiue.  determine  whetherit  Is 

t(j  actueve  the  cnOcal  acQri^snd  has  been 
—  iK.ioeri  in  operalKm  (u  not  done  eariier); 
ui  rn'icmiine  whetner  such  control  teduikpies  are 

LI  Liii  n  ivimifsse^,  111  IS  controls  (wsaknesses  in 

■nliJU  \vi>;iuri."iy  cnnsKler  the  unpact  Of 
u  ^111 1  <  IIS  I  ir'  (11  It*' I  1,11 'I  (lis  iivLi  midgBte  or  reduce 
eti  to  rlip  potential  weaioieas. 

The  auditor  consideis  the  following  in  designing  the  tests  of 
appLicalion  level  controls: 

•  The  nature  of  the  control 

•  Thesi^iiticanceof  the  control  in  achieving  Hie  control 
otiiecltoe(B); 

•  The  risk  of  ttiectintTol  not  being  propeily^lled,  [also  see  FAM 

3401; 

■  All  of  the  key  controls  that  management  is  relyit^  on  to  address 
the  rislffi  for  a  specific  businesej  pmceas  or  a  siilvptocess.  irfuch 
n      r  n         n  n     kl    n  I 

■  The  kev  controls  outside  the  application  under  audit,  as  the 


eflecliue. 


should  conclude  on  Uie  Individual  aggregale  effecl  of  iripniitied 
^jplicatiim  control  weaknesses  on  the  audit  objectives  and  report 
the  results  of  the  audit  Sucli  ConcluMois  generally  should  include 
the  efiect  of  any  weaknesses  on  the  entlQr's  ablUQr  to  achieve  each 
of  the  criUeal  elements  In  Ch^jters  3  and  4,  and  on  Ote  risk  ttf 
nnauthorized  access  to  liey  sjFStems  or  £les.  The  auditor's 
condosions  should  be  based  upon  the  potential  Intel^lependendes 
of  ^Bcatai  controls  0-e.,  controls  irtiich  etfectireness  depends 
on  the  effeeliveneES  of  other  controls). 

PricH-  to  deieloping  an  auditreport,  it  is  generally  miropriate  to 
Cdnmunicate  idenliGed  weaknesses  to  manf^emeiil  to  obtain  their 
coocunaice  witti  the  feels  and  to  understand  irfiether  fliere  are 
additional  factors  that  are  releiant  to  tite  auditor's  evaluation  of  the 
elTect  of  the  weaknesses.  Communication  <rf  identified  weaknesses 
to  management  tynirally  includes  the  followiiig  intoimatkin: 


Ctiapler  2  provides  additional  auiilaiuc  (in  r-ejiiiiiiiig.iiKlLi  i-fiulis. 


4.1.  Application  Level  General  Controls  (AS) 


well  as  rplaierl  suggested  coiitiol  techniques  and  audit  procediues, 
arc  tailored  to  the  iipplkation  level  Understanding  biBiness 

•venLs  IS  necessaiyto  detennlne  the  role  trfn^jlicattat 
level  general  coiitroLs  ui  tlie  assessment  of  business  process 
^phcation  controlSr 

Chapter  S  addresses  controls  at  the  cntitywidc  and  system  levels, 
such  as  those  related  lo  networks,  servers,  general  supiwrt  systems 
and  databases  that  support  one  or  more  business  and  fukancial 
systems.  Additional  security  considerations  specific  to  appUcatlons 

Application  level  general  controls  are  dependent  on  general  contiTte 
operating  at  the  enti^^de  and  system  levels.  The  apphcation  is 
generally  a  subset  of  the  infrastructure  that  includes  one  or  more 
operator  sysCems,  tietmuks,  pottals,  LDAPs,  and  data  management 
systems.  For  exan^ile,  ttie  system  level  access  controls  discussed  In 
Qiapter  ^  apply  tfl  the  users  of  the  qiplicatlon.  bi  addtttoEir 
^licancns  themselves  letpilie  anotlier  level  of  access 
requirements  that  restnet  users  to  application  funrlionalily  that 
ahgns  with  the  user's  role  in  the  organization.  The  iili.iocli^'c  uf 
^phcatron  level  general  controls  is  to  heUi  cm  in  iiLiirLiignimii 
assure  the  confidentially,  integriy,  and  avalbiljillly  ol  inloriLNition 
assets,  and  provide  reasonable  assurance  that  application  resources 
and  data  are  protected  against  unauthorized: 

-  Modification, 

-  Disclosure, 

-Impainuent 


Weaknesses  in  apniitaiion  Level  tenera]  connoiB  can  result  in 
nseq 

wi'iikrii'-.i^s  ill  ;i,iplir'iHi(ui  Ici  I'l  ^..'i„ta]  .-ontmls  tan  atfett  tJie 


is  essential  txi  assess  me  appucaUon  le^ 
Hie  cntical  eJemenlB  mr  anpucation  Je' 


'  AS-4  -  fiegregBte  qipucauon  usei  access  to  coiuucOnR 
luai-uviims  iiiKi  iinjiiiuji  stwywiiiun 
Implement  efEectne  ^hcation  contuigotcy  planning 

Iter  3. 


Critical  Element  AS-1.  Imi 


itn>viM4'.s  ii  iiriiiiC'Witii^  kh  nuiniiL'.iiiL'.  iisil  iic'vifioitirui.'^iK'iiniv 
policies,  assigning  ruspmisibiLlics,  and  moniloiing  the  adequacy  of 
tneentitvsauoiication-reiaie«i.'untrois.  witjiouteffecuvesecim^ 
iiiiuiaidi'ini'ni.  Dvi'i  iiiif  iir>iMi<'iiiii>it.  uiim;  is  ;in  in(^n.f]i!4tM]  nsK  Liiiu, 
enEitv  management.  IT  staff  and  appucanoo  owneis  ana  users  will 
not  prcfierly  assess  ri^  and  wOl,  cc 


m^ropnate  and/or  inadequate  uiibmiabon  secuiity  ovei  tlie 
^UcatJon.  Effective  applleatfon  securiw  management  controls, 

:SM1,  incLiide  Ihe 


Tied  bv  external  third  parties  ar 


I  a  roadmap  during  ttie  entlie 
i:e  lifecjde  of  the  ^jplkaCion, 
and  istheretbre  critical  to  the  auditor  in  gaining  a  hi^-level 


the  ^^ihcBtion  level  mchide  Hke  fbUowin^ 

•  The  process  to  gather  design  requirements  niay  be  compromised 
wilhonl  clear  gmdehnes  tan^iproval  and  sigii  o(f  profedmes  for 
secuilCy  roles. 

•  Ongoing  requiremenlH  for  business  process  owtil'is  to  pi"ovidc 
auttiO[iEaljon^>eciQcalions  to  the  security  design  tc^  (eg,, 
field-level  secunly,  role  lesling,  etc.)  may  be  compromised 
without  a  guideline  to  dilve  the  JohU-etfort  process. 

•  Secun^  roles  could  be  defined  in^n^nialely  resnlljng  in  useis 
being  granted  excessive  or  immthorized  access. 

For  federal  systems,  NIST  Special  PubUcation 800-13,  Ouiitejts- 
Develapvaff  Seatnty  Mans  for  Federal  Iwjomtaiwit  ^tslems, 
provides  guidance  oa  documenting  infoimattai  ^Btem  security 


controls.  The  general  guidance  in  SP  800-18  is  auginenled  by  SF  800- 
53  with  lecommendations  for  infomiEilkin  and  rationale  to  be 
mcluded  m  the  system  securily  plan. 


Periodically  assess  and  vaHdate  ^pHcation  seciiri^  dskB 


Chapter  a  (pM-Z)  discusses  comprehensive  risk  assessment,  and 
provides  guidance  on  risif  assessment.  The  guidance  Includes 
requirements  contained  in  various  hms,  such  as  FISMA  and  FMFIA, 
OMB  Circular  A-130,  and  standards  developed  by  NIST"°.  Risk 
assessments  shouM  consider  risks  tn  data  confldetiljaLity,  miegrity, 
and  acadabdity,  and  the  range  of  risk;  that  an  enti^'s  systems  and 
data  mav  be  subject  to,  including  those  posed  1^  internal  and 
esteiTial  users.  The  Security  Management  section  of  Chigrter  3 
addresses  the  entitywide  and  sj'Stem  level  seemly  risk  assessments. 
Bsk  BEBessments  also  should  be  conducted  for  ^UcationB,  and 
documented  m  the  security  plan,  as  discussed  in  MIST  SP  800-18.  In 
ig  business  processing  controls,  the  auditor  should  consider 


by  th«i  and  the  en 

Document  and  in^jlement  iHil 


•  High  risk  business  orocesses  -  Procurement.  Asset 
Management,  Treasmy.  etc 

•  E^indionalily  that  should  not  be  widely  distnbuted- 1 
eitampie,  nnuimg  vendor  master  oaiamamtenance  to 


users  is  cridoal  to  easaie  master  data  inlegiity  and  tellable 
transaction  processing. 
I    Segregstii^  master  data  and  traosactionBl  data  {Contraiy  to 
Toaster  data,  transactional  data  result  fctan  a  single  event,  and 
often  use  several  field  values  of  Uie  master  data.)  -  For 
eitaniple,  ccmbmingvendor  creation  and  payment 


Afonitortlie  effectiveness  of  ttie  $ 


demonstrates  managememi's  comnutmem  co  an  application  security 
plan  tliai  is  appropriate  to  the  entity's  mission.  Tlie  basic 
components  of  an  effective  moniioring  program  are  dtsciBsed  in 


Qiaptet  9  identical  element  sM-6),  wldch  piwideE  guidelines  for 
momtoimg  the  policies  and  procedures  lelevani  to  application 

3Tt  Bdequaie  plan  for  mcnitonng 


Managemem;  should  consider  wavs  co  effecnvelv  coordinate 
niomcom^  efforts  wilh  work  perfoixned  lo  comoiv  wim  applicable 
laws  anu  regulations  anu  snoum  consiner  iheni  m  developing  an 
aopucauon  sccuntv  momionn^  asscssmcni  pian.  Examples  of  such 
reauirements  for  lederal  entities  incLude:  FTSMA.  OMB  Circular  A- 
130  aiid  OMB  Circiilai'  A- 123.  FISMA  requires  that  securi^  of  afl 


me  secunlj  ol  m^r  applitanonB  at  least  once  eveiy  d  yeais,  as  part 
of  the  certificBtion  and  accr«ditation  (C&fij  pmces^  sooner  if 
Sgnificant  modifications  have  oceuned  or  where  the  riak  and 
magntturte  of  harm  are  high. 

OMB  Circular  A-m  lequires  aaencies  and  individual  Federal 

results-oriented  management;  (ii)  assess  the  adequacy  of  intemid 
control  in  Federal  programs  and  operations;  (iii)  separately  assess 
and  dociimetit  inleriial  control  over  financial  repotting  consistent 
with  the  process  defined  in  Appendix  A;  (iv)  identily  needed 
iiH>rovemenl^  (v)  take  corresponding  corrective  action;  and  (vi) 

statements.  Hie  implementation  guidance  for  OMB  Circular  A-123 
includes  retjulrenients  ttiat  are  wholly  consistent  wiUi  this  manuaL 


Hie  entity  should  take  mio  consideratkn  the  atatuCoty  and 
legulatoirreguiremenls  m  ds  assessment  ot  the  effectiveness  of 
apoacahon  security  noucies  and  nrocedures.  SDd  testing  or 


V  controls  specific  to  eadi 


be  coordinated  with  tijc  cntilywidc  corrccti\'c  action  plan  process. 

Ensure  that  activitieB  perfomied  by  eKtema]  tliird  parties  are  adequately  secure 

An  enti^m^  allow  eKtemai  third  parties  access  to  their  systems 
for  various  purposes.  Ch^ter3  discussed  policies  and  procedures 
regardii^  the  systan  access  granted  to  third  parly  prtnideis  (e.* 


management),  including  the  requironent  to  haie  qipropriale 


le  eaJity  should,  however, 
L«  same  c(iiiq}liaiic« 
re  Ihe  abilOy  to  moratwauch 
es  and  procedures  should  eidst  tor 


Cmml  Tedmiiiues  and  Suggested  Andit  ProcedureG  for  Critical  BlemenC  AS-1 


Critical  Element  AS-2,  Implement  effective  application  access  controls 


Adequately  protect  appScauc 


lix^iiemented  to  protect  ine  secun^  oi  sucb  baundailes.  Application 
boundanes  aie  more  sensitive  wheie  ttie  ctameclivily  is  to  lower 


Implement  effects  idenHficmiork  jiim 


lAI  Jill  MSIM'S  [i;4V4'  JIM  lliniVICILjni  arid  MIMMMO  III  llllll. 

would  allow  Oie  user's  activities  to  be  lecoided  and 


c  Are  usera  required  to  enter/use  other  aulhenficaCiiig 
InfOtmatlon,  such  as  tokens  or  bloiaeDics? 

d  Are  useis  R'lulred  to  enter  a  separate  ID  and 
password  tor  each  ^pUcation? 

e.  Does  the  amltaitkmreqidre  the  user  to  enters 
password? 

£  What  are  tlie  password  paiBineteiECi.e.lenglli, 
character  requiremenis,  etc)? 

g,  How  often  does  the  plication  require  Qie  user  to 
change  the  password? 

h  Are  there  any  instances  of  useis  having  multiple  IDs 
and  passwords? 

L   Are  there  any  instances  of  users  sham^  IDs  or 
passwords? 

*   What  other  IDs  and  passwords  does  the  user  have  (o  alter 
before  accessing  the  stgrr-ln  screen  for  Hie  application? 

a.  Does  the  user  enter  a  network  ID  and  password? 

b.  Does  the  user  enter  a  terminal  emulation  ID  and 
password? 

Hie  knoMedge  of  the  application  securl^  dcEdgn  and  fimdion 
enables  the  auditor  to  assess  the  eflectiwenessof  ttie  security 
controls  over  the  other  levels  of  anthentication.  eqiecialtr  when 
weaknesses  are  identified  at  the  application  securi^  layer,  as  those 
weaknesses  may  be  mitigated  by  stronger  controls  at  other  levels. 

The  following  procedures  discussed  in  Chapter  3  arc  equally 
^plicable  at  Itie  application  level: 


•  The  oivnet  identifies  the  nature  and  extent  of  access  that  fdiould 
be  available  f  oi  each  usei; 


•  The  owner  appioves  user  access  to  the  iq)pllcatlon  and  dabg 

•  Access  Is  permitted  at  the  file,  itconl,  co'lleM  levet  and 

■   Owners  and  security  managers  penodically  mOnitoruser  access- 

Securi^adminisbation  procedures  idiould  provide  tactical  guidance 
on  the  day-to-day  opeiatioas  of  cieiUit^  assignii%  monUoring, 
npdadng,  and  revoking  eniJ-UBer  access  to  ttie  appliialigrL  End- 
leers  should  be  as^gned  authorizations  suffictMit,  but  not 
eicessive,  to  perfoim  their  duties  in  Qte  applltation:  Access  should 
be  limited  to  individuals  Kith  a  valid  butanesB  purpose  (least 
privilege).  The  users  sfioald  be  granted  the  level  of  access  by  virtue 
of  the  portion  Otes  hold  wilhin  the  oigantzatfeti.  This  will  generally 
require  user  to  have  both: 


based  on  the  specific  needs  of  iheir  positit 


However,  tn  an  InCt^iated  environment,  the  entire  tni^ese  process 
cycle  may  be  petlOiined  In  the  same  ^ipBcation  and  a  user  may 
have  the  BbOiw  to  perform  more  than  one      actjnw  m  the  c^de. 
Hierefon.  restiicted  access  (access  to  asen^Ove  tmslness 
traisactlon)  and  segi^atlon  cf  doty  conflScts  (access  to  two  or 
more  transactions  that  are  sensitive  m  combmatiffli)  sbould  be 
considered  carefully. 


Factors  that  detemune  the  sensitjvitv  include  the  mission  critical 
elements  of  the  appUcation,  pervasive  tise  of  the  data  oractivley, 
comioentiahtv  and  pnvacvof  data,  and  activllips  perfoimed  or 
supported  bv  the  apphcaiion- 

lob  reapoiisibihrv.  This  has  a  aual  piupose:  one,  the  proper 
ahgnment  ensures  thai  the  user  has  accountabiU^  for  pioper 
execution  of  the  tiansactions  and  accuracy  of  the  related  data,  and 
two,  the  eqiertise  imd  alalia  of  the  oser  match  flie  bqsiness  process 
miderlyingthe  trsnsaclim  oractmty.  For  example  journal  vou<3ter 
enby  Is  made  Dv  a  General  Accounting  Account  Analyst  of  finance 
Department,  and  not  1^  a  Procurement  manager. 

Adequately  protect  sensitive  ^iplicBtion  resources 

Access  to  senadive  appbcation  resources  sliould  be  restricted  to 
individuals  or  processes  that  have  a  legitimate  need  for  ttds  access 
for  13«  porposes  of  accon^ihshnig  a  valid  biiraness  purpose. 
Sensitive  ^bcation  resources  mdnde  passwonj  files,  access 


authorizations  to  i«!id  or  modify  ^pbcutjons.  and  sensitiTO 
^^lUcatltHt  functions  such  as  application  secutiiv  admlnisttation. 
The  entitv  snould  identifv  and  adequBtelv  protect  sensitive 
aDphcation  rcEoiiices,  hi  some  cases,  sensitive  data  mf^  need  to  be 
encnpted. 


Bi  eOective  audit  and  mommnng  c^abditv 

Audit  and  monitoring  op 
analysis  of  mdications  o 
the  plication.  Automsi 


or  gam  iiisighi  inio  inmiagen 


.   Does  management  monitor  access  within  tlie  ^phcation  (le. 
unauthorized  accesG  attend.  unuGual  BCtivitv  etc.)?  Does  ttie 
application  generate  reports  to  identi^  unanttionzed  access 
attenn>(a:  Are  security  lo)(s  created  and  reviewed? 


lias  apruccauii!  been  ciuiiti^d  and  pLiciiU  In  upiiiuLluii  Ural 
i«quli«9  a  complete  user  recertlflcatlon  on  a  periodic  basis? 


A5-?.1(1E>«pBDnB.n, 

i  if  I 

Critical  Element  AS-3.  Impli 


Configuration  Management  (uM  i  discusses  changes  to  baselme 
conflgiuaClon  (^applications,  using  the  concepts  of  Mentlflcatlcin, 
cootrol,  BlatUB  reporting  and  anditing  of  configuration.  Moat 
^Vlicahon  configuraCion  diSngcs  are  managed  iBing  a  staguig 
process.  Hie  st^^ng  process  allows  the  enHtv  to  develop  and  unlC 
test  changes  to  an  ^plication  mlhin  the  development  environment, 
transport  the  changes  into  a  Quahty  Assurance  environment  for 
further  svslem  and  user  acceptance  testing  and,  when  tlie  tests  hare 
been  completed  and  the  changes  are  approved,  ttansport  the 
changes  into  the  production  environment.  Also,  see  Section  CM  lOr 
general  controls  related  tj>  conl^uration  management 

Control  over  business  piocess  appllcaClotts  modlllcatloiis  and 
configurable  obiects  is  an  extension  of  Confii^uraLion  Management 
controls  m  Lhapier  3  that  addresses  an  orijanization  s  change 


1.  Develop  and  document  CM  polkdea,  plans,  and  procedures. 


2.  Mamlaiii  coneiiC  configutaCion  identificatioii  inforniatkm. 


3.  Proper^  aiil]u>nze.  test,  approve,  and  back  all  conGguraJion 
changes,  Includli^ 

•  Documented  svstem  development  Ule  cycle  nxethodolt^j' 
ISDLC^ 

•  Adequate  authonzatlon  of  chai^  requests  that  are 
documented  and  maintained; 

•  Appropnale  aulhorization  for  ttie  user  to  change  the 
conEgura1«u^ 

•  Adequaleconlrolofprogianidiangestiirmghteslinglofinal 
aiipToval; 

•  Adequateconticilofsoftwarelibiarie^and 

•  Appropriate  s^regaUon  of  duttes  over  the  user's  acctss  to 
reasonably  assure  that  cHtical  pn%iam  function  bttegil^  Is 
not  affected: 


conticur^ion  nkana^ement  progiaiimialLc  areas  of  capital  planning 
and  investment  control,  and  securi^  services  and  product 
acqulsitiorL  Una  publication  discusses  practices  designed  to  help 
security  man^ement  idaitifyfundii^  needs  to  secure  systems  and 
provide  strategies  for  otitnining  the  necessary  funding.  Also,  it 
provides  guidance  to  entitles  in  ^vlylng  ilsk  management 
principles  to  assistm  ttie  identification  and  miUgalion  trf risks 


Critical  Element  AS-4.  Segregate  uf 


Elffeclne  segregauon  ot  dunes  b  designed  to  prevent  me  Dossioiut 
that  a  single  petsim  could  be  tesponsioie  lot  dlveise  and  ciUicai 
functums  m  such  a  wav  that  emiTE  ornuE^propnaltoiis  cximd 
iKtw  and  not  be  detected  ui  a  tunely  manner,  m  trie  normal  couTGt 
oiuusincss TinniMSW.  ?\iini.)ii«n  s.itfuiujiiiun  oi  iiiiiiiM  !iiut">  win  n( 


discussed  m  Ab-i.  the  s 
wiue  uoncv  uii  ai'vu^iuii 
managemem;  should  on 


EiiUO  iii^iiiailfi"i'»t  -ilniMld  thv  oisuii/;Hii>ii  scmtture  and 

positions  described  m  me  segregation  of  duties  maCnx,  or  one 
person  may  be  re^)Misd)ie  lor  more  than  one  01  the  roies  described. 
Baaed  on  me  orgamzalaonal  resource  hmimtion  and  nsK 
management,  certam  levels  of  segregation  01  dulf  caifhcts  maf  be 
allowed  by  roan^ement  iot  a  select  role  or  users,  ir  so.  man^ement 
dtould  have  q^irqinaie  ccmpensating  controls  id  place  to  mitigaie 
the  risks  oi  allowing  me  coidhds, 

.^ifnopnate  segregation  of  duties  often  presents  difficulties  in 
smaller  oiganlzatlons.  Even  entitles  or  locations  that  have  only  a 
Kfw  ifrii[}iov(u^.  nowiwiT.  ivin  ihiiuiiv  riiviMi>  ifirir  nf^nonsirMiicKiK  n> 


achieve  the  necessaiy  checks  and  balances.  More  oHen  than  not,  the 
auCHtoiirlll  encounter  ^tuatjons  where  a  fev  to  sabstanml  ntimber 
of  DsersniBf  have  access  to  activities  with  sc^caiioii  or  dutv 
conflicts.  ManaganaitgeneraiJvTiiinsJjiii's  mic  nsksm  iiliowingthe 

segK^aUonofdutvconniris  in  ihmiiiuci.ii  iiniMii.m  c  mK  such 

asq)provBlof  transBctJon5  ^i'i<  <i  i  i  in  ^  aio  i'i<'i<'ii  iii  iik' 
^plication otreview of  lhci.(i-.irii  -khik.i'  inii>i-is:isiiiri'ct 

Tv|.  s\]  1 


fcirsegregalioi 
monitoring  .1™ 


Critical  Element  AS-5.  Implement  effective  application  contingency  plamimg 

Chapier  3  addresses  ConUngencv  Planning  at  an  enttrvwlde  and 


illKl  IIK.'III.IIVSIIDUUIMIIV.  l'(.>ill.>lll('l.'S 

Take  srecs  to  prevent  and  miniiniie  porenOal  damage  and 
mtemiption 

DeveK9  and  dociimeni  a  con^irehenaire  contmgaio'  ptan 

Penodicalij  test  ttie  contingency  plan  and  adjust  ii  as 
ufipiupiiuu: 


0MB  Citculfir  A-130.  J^pdidix  HI.  requires  condngencv  plans  foe 
malorappucaiiotis,  ana  misi  oroviiips  reievani  giimance  m  Special 
Publication  800-31,  CcnUnqeiia/ Pdiyimiii)  Guide  for  infonmition 


NISr  conlingencv  planmni!  a 
irtiicn  18  disciBsed  m  Chame 
im  icii'ss.  Niju  I  iinrKiururik:  I.I  II ' 


imtunjiits  WII111II  sill  Hill]  iii'  iifKikHi  iii>  riimiiniiv.  [-Hii'itiin.  Hum  siioiuti 
loenti^  disnqMion  impacis  and  aUowabie  outage  times  lor  me 
^S>UcaUcn,  And,  Clilid,  staff  shouM  develop  lecoveiy  pdo^^ 
win  help  deteimine  recoraiy  strategies.  Tlie  NISr  guide  iHimdes  a 
range  of  recxivery  strategy  considerations,  mdudmg  aliemate  sites  or 
v;uviiuirit»rritii)innniriiiii'KK,  iiiinnicjii  adii'ciiiciirs  wiiii  iniii'r 


like  steps  to  prevait  and  minimize  potential  (iam.igi'  and  Liiu  iiiitiuod. 

minimize  potential  damage  and  inletraplion  to  critical  systems, 
including  sqipTopdate  baclngi  of  triplication  pn^nuns  and  data- 
Such  policies  and  iffocedures  Ehoold  be  incorporated  into  the 
entlQ>'s  endtywlde  contingency  plannli^  efforts. 


Develop  and  document  an  aiiiiiKmiiiiirtiiiiiiuiniirv  iiiAii. 

A  Kn  sion  loiiowiiin  iiic  uia  14  in  nmrinn  anniioau 
contingency  plan  (wliicli  NIST  refeis  to  as  an  IT  contiii 


mciinu'Diw  piniiiir)!)' coiii.iiiui'ni^v  niiuis  ionii>iMii^]ii.iori 
m^REint  that  an  apDiicabon  conlmgencv  Dlan  oe  mci: 
Dioaoer-sconed,  related  plans  so  thai  me  ^pllcanon  r 
unmtr  uniiriLv  tuiiiiiix  iiiuii.i[)iij  luiiiiiciu.iiiiM.  im:  iiuiiii 
contmgenCT  plan  snoula  also  mcmae  time-based  nnpw 
nrocedures  so  thai  reeom^  actlvldes  are  nenomied  ii 
piiHiuimr^o  iinri  n^iiifci,  inc  m)niKi»u,inrrH  fLiiiiw!UM(^(MiiJiu< 
avoid  si^uficant  mqiacls.  uontmgent?  nlans  snouia  m 


FUICJSWUIIM  ll'VIFtS.  IIKUIMIIIOIt.  101' riir[MI4VUIC)IL>^.  UK!  SIH  MUM 

mamlam  appropoale  bachiqi  ot  aEpncalions  and  ^ucatnn  data.  Al9 
It  19  In^ionant  ttiat  Festaits  pioces;  data  confueieiy  and  aixinatelf . 


FutOier,  ii4ien  an  applKsttirn  contlngaicv  pim  has  bem  adivat^ 
n9>:iiidble  ccnOngen?  peisoniiel  should  icas<mbly  assme  t)^ 
effective  cordmlB  will  refitnct  and  moraioi  user  access  ro  app jcation 
data  and ptoeramsaiuingnH-mririiii^nHi  oiH'iiinnn  ii  iiiKinuiic 

prepaiatkmshavenotbeen nijirK  i  I'l  in  i  n.'^iivruii 

followed, the amlmgencv plan  ,i'  1 1'  I'l.  ni  .111 1't'L'i-.iiLoim 

^iplioitionwithvulnerabilnii'Mi'.  ■.  i  ■  iii/cii;Lc,  i^ssio 


Periodicslly  test  the  contmgency  plan  ana  adiust  it  asappiopnate. 

Testmg  the  application  contmgencv  plan  is  essential  to  ensure  it  wiU 
function  as  intended  irtienaclnatedfoi  an  emergency.  TeEtmg  fan 
leveallnqiortant  weakttesses.  Testii^  the  contlngen<7  plan  and 
makuig  adjustments  as  needed  helpe  ensure  the  ^jphcation  will 
work  when  the  contmgency  plan  is  mgilanenled  for  an  actual 
emergency.  The  Nisi  contii^ency  planning  guide  recommends  the 
folowmg  areas  to  be  addressed  m  a  craitmgencv  test: 

•  %slemreco*ery  on  an  alternate  platform  ftom  backup  media 

•  CoordtaaHon  among  recovery  teams 

•  httemal  and  external  conneclivBy 


EestoiaUon  of  nomial  operations 


Notification  procedures 


Cmmil  Teclmiiiues  And  Suggesled  Audil  Proceduies  For  Ciitical  Element  AS-6 


4.2.  Business  Process  Controls  i  Bi 


oyedbyanentiti 
[lay  he  ma»ual  oi 


mterveiiuon.  such  as  me  apDfoval  oi  a  transaction,  and  are  typical] 
leed  to  assure  the  reasoncibieiiess  or  propnely  ot  transactions, 
Automaled  and  mamlal  ctmlrois  can  be  preventive  or  deteclive. 
Automated  contrab  CBn  Keep  mvBhd  daia  from  being  processed, 
and  Oies  can  report  transactions  that  tail  lo  meet  reasonalueness 
cdteria.  Manual  controls  perforrned  prior  to  ir^iiB  tan  loentify 
problems  beibre  daia  is  processed,  niule  monitormg  controls 
peiibmied  alter  pn>c«ssing  can  ideotdy  earns. 


in  manv  entities,  tne  core  tnismess  processes  span  acinas  multque 
^oueauons.  Some  oi  the  apnucations  are  tnemseives  complex, 

integrated  svslems.  kfeally,  applications  are  interfaced  seamlessly 


not  limited  to  financial  systems.  F 
essential  ld  ensuring  me  compien 
confidentiality  oi  non^lnzuicia]  da 


Master  Data  vs.  lYansaction  Data 


Every  business  process  employs  master  data,  or  referential  data 
that  provides  the  basis  for  ongoing  busmess  activities,  e.g., 
custooieis,  vendois,  and  employees,  The  data  that  are  generated  as 
a  resoU  of  these  actndties  are  called  traiuactioii  data,  and 
iepi«sent  the  result  of  the  activity  in  the  fbrni  of  documents  or 
postlnes,  audi  as  purchase  orders  and  oblleatkms. 


•  Vendor  Master 

•  Em|di^ee  Master 

Financially  (ocused  master  data  aciiprailv  has  itii:  following 
characteristics: 

•  Relativeiv  stable  over  rinn',  pii'ii  il  niiEA  records  change, 
the  overall  volume  of  srowlli  is  limilert.  Esarapler  chart  of 
atcoimlB.  fixed  assets,  and  vendors. 

•  i.Jeciir  oiilv  once  [jer  obiett  m  the  applieation.  Example; 

I.    I  I  n    s     ■!(  nal  nit  but  there 


Business  Process  ApplicaUon  Control  Objectives 

As  disi  iisscd  in  the  introiiiietion  to  this  chapter,  the  overall 
oiijci'iiii's  Dniii^imi's^  [jiij(.".'.nij|)l]caiion  level  controls  are  to 

and  aviiilabilily   of  lf;iii'.ai'lioiis  anil  ulala  during  appUcation 
pmcesiing.  The  eompleLeness,  accuracy,  and  validity  controls  relate 
to  the  overall  integrity  ohjective.  In  particular,  each  specific 
business  process  control  techniijue  is  deigned  to  achieve  one  or 
more  of  these  objectives.  The  efltectiveness  of  business  process 
cofltroEs  depends  on  i^iether  all  of  these  overall  objectives  are 


aclifeved  by  the  ^iplicatioii  level  contnds.  Each  otttedive  is 
descilbed  in  more  detail  below. 

Completeness  (C)  controls  ^ould  pnnide  leasonabk  assiuance 
that  alltrwisactifflis  that  occurred  are  mpat  into  the  ^stem, 
accepted  for  processing,  processed  once  and  only  «ice  by  the 
Egist^  and  propeily  Inclucled  In  output  Con^Ceness  controls 
include  the  following  key  elements; 

•  tmnsaclkins  are  complete^  input, 

■  valid  transactions  are  accepted  by  die  system, 

■  duplicate  postings  are  rejected  by  the  system, 

•  reiected  ttansacUons  are  Identffied,  corrected  and  re-processet 


•    an  transactioriB  accepted  by  the  system  are  processed 
completely. 

Hie  most  common  completeness  controls  in  qiplications  are  batch 
totals,  sequence  dtecklng,  matching,  duplicate  checking, 
lecondUatlons,  contiDl  totals  and  exceptimt  reporting. 

Accnracy  (A)  controls  skovld  provide  reasonable  assuiance  that 
transactions  are  properly  recorded,  with  the  correct  Hmount^lata, 
and  on  a  timely  basis  <ln  the  proper  period];  key  data  elements  ir^Hit 
for  tiansactions  are  accuiat^  and  data  elements  are  processed 
accurately  by  ^plications  that  produce  reliable  results;  and  output 
igaccarate. 

Accuracy  control  technkiues  inchide  programmed  edit  checks  (e.g., 
validations,  reasonableness  checks,  dependency  checks,  existence 
checks,  finmat  checks,  mathematical  accuracy,  range  diecks,  etc.), 
batchtotals  and  check  digit  veriGcation, 

VBHdil;  (V)  controls  should  provide  reasonable  assurance  (XiOtal 
all  nxotdei  tiansactions  actually  ocouted  (are  real),  relate  to  Qie 
organization,  and  were  property  approved  in  accordance  with 
management's  authorizatior^  and  (2)  thai  output  contains  only  valid 


data,  A  ttansactton  is  valid  when  ii  has  been  auttiomed  nor 
example,  buying  ftom  a  particular  supplier)  and  when  the  master 
data  relating  jo  thai  transaction  is  reliable  i  lor  exanque.  the  name, 
bank  account      uthtr  (letaiis  tin  mm  supplier).  vaUdily  incuides 


ConlldentlaUtE  ICF)  €oi 

LUSH  UIM>IIC1UI.I4MI  LiaiU  UJ1II 

against  unauthorized  ace t 


User  Satisfaiaion  Inqniiy 


general  idea  of  how  they  use  the  data  and  what  their  opinions  are 
coDcendng  its  accuracy,  timeliness,  and  completeness,  i^uesnona 
that  may  be  nsed  to  collect  infbrmalion  from  flie  user  Inclnde  the 
following. 

•   For  what  purpose  do  you  use  the  transaction  output? 


■  auUiorize  changes  to  tJie  system, 


■  other? 


•   Can  the  transaction  oo^nit  be  used  without  correcUiBi? 


•  ]Elheinfi)nnatir>iiacciirateandrellable,availal>len4i^ 
needed,  current  and  iQ>tti-dateT 

•  Do  you  mabttidn  manual  records  to  supplement  the 
tzansaclion  output? 

•  DoyguchecktheintomiationfQrquali0r(accura<3' 
CDnq)leteneEE,  and  calidily)  wbea  you  receive  it? 

•  latliebHnEBCIjraiDutputeTerieninbytlkedBtacenler? 

•  Are  you  aulhorized  to  malie  dianges  to  the  information  and  if 
so,  can  you  override  validatiDn  and  edit  ctieclis  incorporated 
into  the  business  process  applicaOon? 

When  assessing  user  satisbction,  it  Is  Important  to  obtain  evidence 
of  incon^ilete  or  inaccurate  data  iderUified  by  a  user.  The  auditor 
fdtould  determine 

•  the  nature  of  the  problem -amounfs  overstated  or 
understated,  Incorrect  totals,  Incomplete  data  fields,  and 
n^ative  balances  wMdi  dumld  be  positive; 

•  howtrequentlyenorsareobserved-lsdatedlnstancesor 
recurring  problenis; 

•  vrtiether  the  iBer  can  he^  e^lain  ^ly  errors  are  made  - 
since  errors  affect  users  the  most,  tlK^  m^  hare  conducted 
studies  to  show  die  cause  and  magnitude  of  enois;  and 

•  irtiethec  iseis  maintain  manicil  records  for  ise  Instead  itf 
conqiuter  reports  or  ou^ut  -  manually  kept  records  may 
indicate  problems  nitii  the  integrity  of  the  transaction  ou^ub 


NIST  Guidance 


For  federal  systems,  NIST  SP  SOO-63  Includes  the  Kdowli^  controls 
related  to  business  process  controls: 


SI-9     bifOimatloa  Ii^  Restrictions 

St-lO   btfoimatlon  Accurate,  Completeness,  Valldily,  and 

Aidlientici^ 
Sill    BiToi  Handling 

Sl-12    Information  Output  Handling  and  Retention  


This  section  presents  more  detailed  control  oblecUves  that  should 
be  achieved  to  reaBonably  assure  that  transaction  data  is  con:v>lete, 
accurate,  vaua  ana  confidentiaL  Also,  this  section  t3  organized  to 
address  the  four  principal  tjites  of  bnsliiess  process  contiols:  Input, 
processing,  outpot,  and  master  GleB. 


Business  Process  Control  Critical  Elements 

Business  Process  Controls  have  the  following  lOui  critical  elements: 


BP'l  TransactiffliDataIi^tiBcon:q)lete,  accurate,  vali^  and 
confidential  (Transaction  data  input  controls). 

BP-^  TransactionI>ataPiocessingiscoii^lete,accuiate,valid,!tnd 
confidential  CTiansaction  data  processing  contiris), 

BP-3  Transaction  Data  Output  is  conqdete,  accurate,  valid,  and 
confidential  (Transaction  data  ouftjot  controb). 

RP-4  Master  data  setup  and  maintenance  b  adequately  controlled. 


Critical  Ek  iLiciiL  Bl'-l.  TiiLiisMc lion  Data  Input  is  complete,  accmate,  valid,  and 

confidential  (Triuiiactioii  Data  Input  Controls) 

Hie  entity  should  implement  procedures  to  reasonably  assure  that 
(1)  all  datair^Jut  is  done  in  a  controlled  manner,  (2)  data  uiput  into 
the  q^ilication  is  complete,  accurate,  and  valid,  (3)  any  incorrect 
infomiation  is  identified,  r^ected,  and  collected  for  subsequent 
processing,  and  (4)  the  confidentiality  of  data  is  adequate^ 
protected.  Inadequate  ir^nit  controls  can  result  in  inconqilete, 
inaccurate,  and/or  invalid  recoids  in  tiie  application  data  or 
onaulhorfaed  disclosiire  of  q>ptication  data. 

^^lUciUlDns  can  accept  li^iut  manually  (iq^illcadon  iKeis  enter  data), 
or  via  automated  irquL  Ih  either  CBEe  data  iiqnit  controls  are  relevant 
Ihe  automated  li^  nw  be  intei&ces  ttiat  use  batch  proceEfdng  or 


are  mtegialed  ieal4in«  with  mtemal  and  external  fs^stans.  To  the 
extent  that  data  hqxit  Is  obtained  tcom  other  ^Ucafions,  the  audlCoi's 
BSE^nent  of  irqnit  cmtzcds  BhoiM  be  coordinated  willk  data  inter&ce 
cfflitrols  discussed  In  section  4.3  of  this  chs^iter. 

For  federal  s:;slenia,  NIST  SP  BOO-SS  [Sl-lO]  eslablishea  the  fallowiDg 
otOecUves  for  li^  controlsr 

•  checks  for  accutacy,  completeness,  validity,  and  autlientld^ 
of  infOimation  are  accompHshed  as  close  to  flie  point  of 
origin  as  piesible. 


*    rulES  for  checking  the  valid  syntax  of  infomiationsvsleni 


Also,  SI-10  Slates  that  the  extent  to  which  the  information  system  is 

of  mformBtion  is  guided  bv  o^aiuzatronal  pobcy  and  Dperational 
lequuementSr 

Data  mput  for  processing  should  have  all  key  fields  completed  and 
be  validated  and  edited.  Error  handling  pmceriure'i  should  facililate 

h'.'.  II  -I'l  I      !■!  .iiMi'  I     I-.    II-  .'II  ■.  rt  Ih-n- applicable, 

III'  I   li'     II  I.  il-i.ji.i.  —  I   II'' I   I  hvo  dalaandtest 

breaches  that  mijy  impact  the  accuracy,  conqlleteness,  and  vahdity 
of  the  infottnatjon  ot  loss  of  confidentiality  (pilvacy  issue)). 
Preventive  contiols  generally  allow  fbrlu^er  reliance  and  the  moat 
efGcient  testing. 

m  acHition,  controls  snould  Be  m  place  to  reasonaDly  assure  tnal 
access  to  data  Input  Is  adequately  controlled.  Procedutts  should  be 


in^ilemenled  to  control  access  1o  ^^licatkai  ii^niC  roudnes  and 
plcslcal  h^iuC  media  (blank  and  con^ileted).  The  assessment  of 
Buch  controls  should  be  coordinBted  with  Critical  Elanait  A&2 
Inclement  fS^ttue  a^iccMrm  access  amOvls. 

For  federal  s:rsleins,  NIST  SP  8ai>^  includes  three  contiols  relevant 
to  transaction  data  li^iut: 


StB  hiformalkailiqtutRestiiclkais 

St  ID  biformaHcn  Accuracy,  dmipleleness,  VaUdity,  and 

a-ll  Error  HMidltnn  


Data  h^iul  controls  are  conqirlsed  of  the  following  control  activities; 

•  Inqilemerd  an  efiiMrliEe  transaction  data  strategy  and  des^ 

•  BstabUsh  input  preparation  (Qiproeal  and  review)  policies  and 
procedures 

•  Build  data  validations  and  edit  checks  into  the  appUcallon 


minunliflig  redundancy;.  The  design  of  transaction  rials  elements  is 
a  critical  factor  in  helpmg  to  assure  the  quahly  of  data  as  well  as  its 
mterrelationship  with  other  data  elements.  Data  standards"*  should 
be  defined  and  maintained,  but  may  vaty  depending  upon  the 
qreciGc  requirements  of  the  entity,  includn^  r^ulatoiy 
requirements,  and  database-  or  apphcatjon-hased  Etandards. 


A  cteaily  defined  data  strategy  mlniinifes  data  cedufldancies 
fundamental  to  an  effldent,  effective  tiansactlon  processing 
function.  Poor  data  cpalily  may  lead  to  a  ^ure  of  system  controls, 
process  Ineffiidencfes,  and  inaccutate  tnan^^emenl  lepottlng, 
Euoneous  or  misdi^  elements  of  ciltlcal  dataln  the  tiansactlon  file 
can  produce  discrepaikciEa  withm  the  process  cycle. 

Qiaractenstics  of  erroDeous  transaction  file  data  elements  mdude, 
but  are  not  limited  to.  duplicate  transacQona  recorded  or  processed, 
and  Impnjper  coding  to  departments,  business  tmtts  or  accounts, 
Hiey  also  mdude  unpopulated  data  Qelds  and  data  formatting 
mcon^stendes,  as  described  fbr  the  master  file. 


EstabiishlnputPi«paratkin(!Vprovalandieview|J Policies ^n<i  l  i    <  I  :i  . 

Hieentl&shouldharepoln     ■  ■!  i-l  i  ■. 

files  are  compieteand  aC4.uur  |i  i^nl  "  mi 
transmitted  m  a  timely  maiuipr  for  irL|)  LI  I  [iiilif  i- 
Among  these,  management  should  establish  proi 
reasonably  assure  that  all  inputs  into  the  appiitii 


investigated.  Finally,  procedures  should  be  estabhshed  to 
leasonably  assure  that  all  source  documents  (paper  or  electronic 
fonn)  have  been  entered  and  accepted  to  create  a  valid  transactiiHi. 
Automatic  ugHit  &om  other  ^qilicaUms  diould  be  integrated  either 
thiou^  an  intet&ce  (external  indications]  or  conllguiatlon  (cross- 
modular  within  the  same  ^plcation).  Interface  controls  are 
addressed  m  section  4.3,  below. 

For  federal  systems.  NIST  SP  80tL53  |SI-9]  establishes  a  control 
"II  In  reatncis  the  capabili^  to  input 


Build  Data  ValdatiDii  aod  BditE  within  the  ^plication 

biput  data  should  be  vahdated  and  edited  to  provide  i^onable 
assurance  that  eironeous  data  are  prevented  or  detected  before 

will  build  application  input  (•(]iKiiirn-llv  mro  (lie  :i|!|)li(.'ation  lolin 
the  number  of  enors  that  are  iiipiil  iiilo  [lir  iipijlii  alion.  Edilsaie 


The  auditor  should  i 
edits  to  assess  then- 
tested.  This  underst 


whether  such  oapabihtv  is  reslnrtnl  I 
and  hnuted  in  its  use.  In  addition,  enti 
for  Hie  automatie  logging  of  all  edit  ov 


iqqiropnateneas  and  correclness  by  en 
auditor  should  also  determine  whetfaer  table 


hnptement  BfCedive  Auditing  and  Moiutonng  Capabihtv 
Aspartof  tiie  ilfUi  inimi 
"nieseenois™!  n,  :i  ■ 
Management  sh'Hil.l  i  a' 


and  nregulanties  are  detected,  reported,  and  corrected. 
Manz^ement  s  audit  and  monltortng  c!f>ablllQr  should  Include 


user  error  h^'~ir>  provide  tsneiv  loiiow-up  and  con«cCion  of 
unresolved  daia  errors  and  Inegularitles.  and 


•  an  established  monlioilng  process  ro  assure  me  elfecttveness  oi 
enoF  handhi^  iffocedureB.  Tins  snould  include  prcKedurea  lo 
periodically  reneiF  user  error  iogs  to  oetemune  the  extent  to 
which  daia  errors  aie  being  made  ana  the  status  oi  uncollected 

For  federal  systems.  NIOT  SP  80tt53  ISI-llI  slates  that  the 
mfoimaDOn  system  laentiGes  and  handles  error  conditions  m  an 
ei^^ditious  manner  wlmouiprovidta^  Information  that  could  be 
equoitea  ty  adveraaneSr  The  siniaiu'e  ana  comeiii  oi  eiror 
messages  are  carefully  consKiru-rr  m  iho  (nsinii/aiioii.  trror 
messages  are  revealed  o!ii\  [u  . -i  m  i-  .  m'l  i-.mirmPsaaEes 

iiiKiiiiiruiiiri  wiiiKiMi  n'viMiJiii:  i  .i.i'.   i  iiiMtiiiiaiinit  iiui. 


ited  Audit  Procedures  for  Critical  EL 


Critical  Element  BP-2.  TYtuisaction  Data  Processini;  ia  comuletf',  a 
confidential  (Transaction  Data  Processing  Controlsl 


Transaction  data  processuig  controls  aildret 


differ  to  miugale  me  risks  mtiereni  lo  the  applicaoie  process.  An 
effective  Bssesameni  of  dala  processing  controls  mchides  an 
nnileistfindiiig  of  the  process  at^  and  dataflow  in  a  process  cvcle. 


the  conbols  rnibedded  inme  ^pbcatioii,  and  the  manual  conttols 
that  aie  common  across  processes  or  spedflc  lo  each  process. 


ing,  whereby  the 


■y,  uompieienEss,  validity,  and 


irau  and  uie  abililv  lo 


I  Effiaeni  tiansacoon  eiitiy  ciiat  eliminates  uiuieceasaiy 

duplicalKHi  of  data  entry.  Where  appropnaie.  data  needed  bv  the 
Systans  are  entered  only  once  and  other  parts  of  the  system  are 


of  each  process  ig^. 


•  Man^ersdHwldprovidereviewandauttioitealkmfcir 
tiansadiOflS  thtit  are  rejected  and  should  be  reran. 


Effective  oudiliiig  and  monitoring  capabibly. 

Durnig  data  processing,  tiansachons  may  ni: 
coniptettly  or  accurately  as  a  result  of  error 
data,  system  mtemq>tHms«  conununicationfadureB.  or  other  events. 
In  addition,  valid  datamav  be  corrupted  or  data       lose  its 
coirfldentiality.  To  identiiy  these  instances,  a  monitoring  capabih^ 
should  be  implemented.  The  monitonng  function  should  reasonably 
assure  thai  data  ate  accurately  processed  throuiih  the  ;i[)iilini(ion 
and  that  processing  procedures  determine  diii.i  li'  In'  .irMi  d  I'j 
altered  during  processing.  No  data  should  !>>'  I<  <-i  <liii  i'  '.  i '. 
process.  Controls  may  mchide; 


ciiois  or  problems  encountered  durmg  processing.  Types  of 

lii  MTiiiijoiLsol  :iin  Priors  pnominiered.  dates  Identified,  any 
i(jUi\-.;ih-si)(-].iii'il  i>i[h  ei  iois.anv  corrective  action  taken,  date 


contruls  to  traisonablv  assure  that  the  correct  generahon/cyde 
of  files  IS  used  for  processing.  This  lui^  mclude  the  generation  of 
backup  tiles  Iroin  processing  to  be  used  for  disaster  recovery. 

Adequate  audit  tiails  are  generated  dunr^  processing.  Tiiese 
audit  trails  siiouid  be  logs  of  reports  that  contam  mformahon 
about  each  ttansactkm  Data  that  should  be  Included  are  ntio 
iniBaled  each  of  the  transactions,  the  date  and  time  of  the 
tranaacttooB,  and  the  location  of  tJie  transaction  origination 
(temdnal  or  IF  address  as  an  eicample). 


are  being  verified,  fuid  the  resuldiig  information  is  distritiuted  in  a 
timely  iuicl  consistent  manner  to  the  ^proprlate  end  useis.  Controls 
include; 

*  An  oveiBll  reporting  process  that  identifies  specific  oolpiit  that 
will  be  generated,  tbe  fbrm  and  content  of  the  reporting, 
sensittviQr  of  InfOmiatlon  and  selecdvily  of  user. 

o  OuQiul  is  delivered  to  the  impropriate  end  user. 

o  OuQml  13  restrictedfian  unauthorized  access, 

0  Record  retention  and  backup  schedules  for  output  data 
should  be  established 


!  DBJancmg^ccncuiation  proce» 
teml  !icii;til!ibia^  and 


be  eitner  error  reports  ora  ioe 
These  sttould  c<attaiii  infonnat 
uniNeiiH/ttmiiNiuiil  l\v.  iIjUj'  ii 


For  federal  systene,  mST  SP  800-63  iiH^des  ttitee  cmilrals  relevant 
to  data  output  contrals: 


3-11  EiTOTHimdIIng 

31-12  hfomatjon  Output  Handling  and  Retention 


In  addiUon,  NIST  SP  SOU-M  |Sl-ia  I  status  tluit  tlic  organization 


Ituplementtng  a  lepoiUng  strati 


'ihfnii.inh  juici  iiisirirriii.ioii.  ;iiim  ;iiiv  ri; 
111  snt'i-ilii-iuiv  I'Oiifiiill'i': 


•  Consolida»ion/proces^i«ofreporlii«troma3"'par»K 


•  Bosmess  neeaaruncnonanw  oi  rfjwrta;  and 

•  Norrstandard  ou^iut  items. 


Hie  strategy  etioulQ  adeuuateJv  consider  Che  ccnfidentialAy  of  all 

of  outpui.  f  or  examine,  ibe.  enuLV  snould  have  adequate 
Becunly  over  outpuL  queues,  particularly  lor  seoaitiTe  mfbrmation. 
lnftdeguat«ly  secured  output  queues  can  lead  to  unauOKarized 
CUsclosure  of  Infonnatkin.  Slinllar];.  access  to  ou9uc  scitens  snould 
be  adequaieiv  controlled. 


wiiiroia  iiv^r  reDori  geiierauoii  ana  atslributlon  snould  include  the 
:ill<i.viii|;: 

Remrts  snoum  be  reviewed  ror  reasonableness  and  accuracy 
prior  TO  distnbuiion. 

iluLDUl  iliHIiiliuliiiiisliiiuKl  Iwi-OiilrollrilsnlJifUiiuuiiil  is 
proviaed  to  auihonzed  recipients  only  and  on  a  tuueiv  basis. 

nciuin  i-i'H'iinoii  siumiii  be  adequate  biased  on  internal  needs  and 
ri'i'.ir  ii"i '.  1 1  <j  i-'iri'K;Miiriii'.  iir>iMi<'iiiiOiHMiir>i]i.  ih' 

■■  ■'         ■"  -iiimuie  i.n-iiiiy. 


•  Dfilaoiitpmio  management  iepi»ling  or  oOierci^ties  of  ouQmt 
tiles  are  adequately  contiolled, 

Gmtrol  Teclmiqiies  and  Suggested  Airiit  Procedures  tor  Critical  Element  BP-^ 


Critical  Element  BP-i.  Master  Data         and  Mamienance  is  Adequately  Controlled 

Master  data  are  the  Kev  mformation  that  ts  conalBnl  and  diared  wi(h 
mnlt^ie  fundioiiSi  sucn  as  a  cufilomer  master  record,  wlucn 
contains  ine  customer  number,  shipping  address,  UDing  address, 

contact  and  paymem  terms.  Moat  qiphcabons  use  me  loDowmg 
two  types  <f  master  data: 

Conliguratiie  master  daia  or  busmees  roles  are  delined  m  an 
^DLicauon  moauie  ana  used  bv  end  useis,  but  caniioi  be  chained 
iiirc'ci.iv  IM  invHiiin.Kih.  I'lin^iuLsiHiniiT  n'lifiisc^  r>nH'i!4]Mr<is  mfciMirini< 


entiai  siandli^  daia.  lo 


Mastei  data  are,  usoaUi',  entered  once  and  are  sliaied  among  various 
aptlSxaaiM  modules.  Also,  common  data  llelds  itiay  be  med  by  the 
^]plic3ticHi  sev€ia]  times  over  a  period  of  time  unlilllke  master  data 
is  no  longer  valid  tecmtje  of  termination  of  a  contractual  agreement 


Implementing  an  eflSctive  desi| 


The  itaee  key  steps  In  master  file  settQ>  and  m! 
•  Implementmganefi^ctivedesignofmasterdaCaelemenls 


1  Itie 
•i  functiona]  level 
mamtamedand 
)r  example, 
hasmg  data  and 


FaiUal  edit  -  Master  data  maintenance  may  be  cimttolled  by 
rules  that  can  be  confirmed  to  prevent  changes  to  ceitaln  areas 
of  dalB,  or  key  fields  within  a  record. 

Kmnbenng  -  ^stentassigned  internal  nmnbenng  is  generally 
conaidered  to  be  lower  risk  than  sttemal  mimhenng,  however, 
ntam^emenC  can  choose  to  use  external  nmnbeilng  (to  nudch 
nmnbers  from  an  external  system)  and  can  choGfie  aammg 
conventions  ^kproi^iate  lo  its  use.  Adequate  procedure  ^lould 
be  In  place  to  i«9sonably  assuie  compliance  with  management's 
pokey  on  numberm^iaimng  conventions. 


by  a  wide  range  of  users.  Master  data  mamlenance,  Iherefbie, 
dwukJ  be  flie  domain  of  fewer  iKera  than  those  respon^le  for 
updating  transaction  data. 


ejdsl  over  the  integrity  and  quaUR'  of  the 
IT  Data  record  will  compromise  the 
integrity  of  whatever  transactions  use  the  field  values  stored  in  the 
master  data.  Chaiactenstics  of  emmeous  master  data  elements 
biclude,  but  are  not  Umlted  to,  dupUcate  names,  faivalid  leconis, 
diflilicate  addresses,  nr^iroper  address  formats,  incomplete  or 
maccurate  address  mformation,  mgxvulated  data  fiekls  and  other 
data  Ibimatling  inconslstendes  between  the  business  rules  and  the 


Becaose  it  is  foundational  m  nature  and  may  have  a  broad  ini^iact  ai 
transactional  data,  master  data  should  be  carefully  controlled 
Ihiou^  reviews  and  approval    de^gnated  data  onneis.  To 
reasonably  assnre  an  appropriate  level  of  control,  a  combination  of 
automated,  preventive  controls  and  manual,  detecthre  controls  is 


Controls  over  master  data  include  controls  i«Med  to: 


•  changes  to  the  configuration  of  the  master  file, 

•  vaUdity  of  all  master  file  records, 

•  completeness  and  vafidity  of  master  file  data, 

•  consistency  of  master  data  among  modules,  and 

•  approval  of  cbanges  to  master  fUe  dais. 


Jmplcnicnliitj^  an  cl'Icclivc  auditing  and  morutormgc^>abdity 

As  part  of  the  control  of  master  dala,  the  orgamzation  dKmldhave 
an  effective  auditing  and  monitoring  cigraMily  which  allows 
charges  to  master  datarecorda  to  be  recorded  and  reviewed  iriiere 
necessary.  This  momtoruig  may  be  done  either  as  part  of  ongoing 
activities  or  thniu^  sepaiate  "master  data  audits'.  In  dther  case, 
the  moat  nnportant  factor  aigiportmg  the  aqabdny  is  that  activity  ia 
properiy  c^tured  and  mamtamedby  an  automated  logguig 
mechanism. 

Depending  on  Ui''  level  iif  risk  M'fiii  iiited  witJi  the  data,  the  type  and 
frequency  of  nionili'i  LiiiL  111, !■  wii^  lilonllv.  momtormgshouldbe 
built  into  the  iioiiiial.  mi  iimiuli  i  r^iji.iisibllilles  of  the  data  owner. 
Because  audits  i:il<r  |)l:i(i';iiL,-i-iiH'  Liici.prohlems  often  will  be 
identified  more  qiiu  klv  bv  oiii^oDiq  iiioiutont^  routmes. 

Oi^omg  moiuformE  may  mclude  obtaining  ^iproval  prior  to 
changes,  or  venlvmg  the  accuracy  of  changes  on  a  real-time  basis. 

For  federal  systems.  NIST  SP  80063  inchides  the  fidlowii^  controls 


SI-9    Enformation  Input  Restrictions 

Sl-ID  Difoimation  Accuracy,  Completeoess,  VaUdity.  and  AuOienticity 
81-11  Error  Handling 


4.3.  Interface  Controls  (IN) 


inrenace  controls  consist  <s  Uiose  conuoH  over  me  a)  timely, 
]iixijnii4^.  Hiiij  iTtiiiioieit?  im>rt^iiic{M  rriioiiiiauori  between 
^ucahrae  and  ouier  teener  ana  recemng  systems  on  an  tn-going 
iXLva.  lata  uicomiiivui  am  iicciiriiUMniKriuiuiiui  clean  data  during 


iiiniinM  ifxi^ivinuc  in  uiilabetweattwo 
I'ln-a  lo  III  uiu  secijoii  as  the  source  and 
I  his.  i  nwi:  msjncjiiiutis  may  reside  ori  Ihe 

jms^iLmaQy 
callyoronpaper. 

lly  there  may  be 


br  interfaces, 
>n,  and  loading  of 
MJI1S1  i)ifiwi'(>ik  iwn  aDniiraiioiuj.  i  iki'  ujusi  iiioiii.  validation,  and 
niiiinui  cniiimifi  wiuuii  an  anniiraiioii  ai«  atujicaied  in  the  preceding 
Business  nrocess  control  sections,  l  o  ine  extent  that  data  Input  Is 
OMijiinifM  inmi  m.niTiuiMiK^iiijniis.  aiiMii'irKfii«(iiHHinentof  thisdaJa 
shouia  be  cooidlnated  with  aaiaii^iui  conmils  discussed  in  section 
i:^  01  this  chaptei. 

Itie  mcenace  piw;ess,  including  conveisions,  can  be  btoken  donn 

iniO  lfH>  MlllOWIIIk!  H1!V(!II  HfEHinil^^  (^1)1  lUH  iniflllH: 

I .  micnuw;  siiniuinv  - 1\  oucunionu.iu  siriuony  is  developed  to  ke^ 
nam  nvnotiMiiiiteiJ  nei.wwii  Hiiiin^e  ann  ijircei.  application.  Ttie 
sitaieuy  snoiua  uicluoc  an  iKDiaiuiuon  ot  I'licn  tntei£ice,  tbe 
inii-nirtx' meirm  cn«*iinni!iniiui  or  Kucn,  oic),  the  date  fields 


being  inteifficed,  the  conunls  to  i^asonably  assuie  that  tlie  data 
Is  Interred  completely  and  accurately,  timing  requirements, 
defmition  of  responsibOilieSf  oit-going^stem  balancing 
lequirecnenis,  and  securi^  requirements, 

DataExport/Extmctlon-TheinfomiBtiilQiieedSDFthetarget 
application  (key  infonnation  fields,  ID  fields  and  cross-iefeience 
fields)  should  be  fully  underEtocK]  and  dcKumented.  If  the 
information  needs  ar«  not  fully  understood,  all  relecant  data  may 
not  be  extiacted.  In  addition,  iqs>r<$iriate  proceduiealshould  be 
in  place  concerning  tfae  format^  quah^f  cut-off,  and  audit  trails 


3.  Thcfonmtofthesourcedata^iouldbecheckedto 
ri'a.soii:itily  ssRiae.  that  the  bifomtatlon  <s  available, 
accurate  and  at  the  appropriate  level  of  detaiL  If  the 
source  lialii  quali^  is  poor,  the  data  may  not  be  able  to  be 
inierfaceri. 

b.  Dataproces^ngshouldbecut-oBasofa^>eciGctinielo 
reasonably  assure  that  the  data  is  extracted  lor  the  proper 

c.  Sufficient  audit  trails  diould  exist  for  the  source 
application,  such  that  once  the  data  is  extracted,  tlie 
□r^uial  audit  trail  remains-  For  Instancer  invoices  aoi  be 
traced  back  to  the  ^plcable  purchase  order  in  the  source 

.  DataM^ing/Tianslatlcai-Datam^iiiingandtianSlatlonisthe 
process  of  convertii^  souice  data  ttom  the  source  application 
formal  to  the  target  apphcation  formal.  If  the  data  is  not  entered 
in  the  target  application  in  exactly  the  same  way  as  it  is 
p>iperte[i,  lai^el  application  pdii  and  validation  checks  "lay  he 


into  the  target  applicatiort  impropriate  controls,  such  as 
database  bidlcles  that  enfoKe  uniqueness,  should  be  In  place  to 
prevent  duplicate  pr 


5.  EnT>rHandliiigandReconcOiationproce(iut«S'-Thep[Dcedures 
developed  to  leasonably  assaie  that  all  transactSons  are 
accounted  for  and  that  all  errois  are  identified,  isolated, 
anaftzed,  and  corrected  in  a  timely  manner. 

8.  Job  deOnition,  Scheduling  and  Emiit  TriBRcrinR  -  Due  to 


sensitive  iiai.n.  Arci'ss  ii>  iiti4'Ei;ici'  4p:iiji  jlii^p  rPiori'ssiissiioinii  lie 

iiip  nnKici.ivrfi  1)1  iiiUT:ai-iriMiiiiiiiR.ni' m: 

•  lii4)iemeni  an  effectne  interne  strategy  and  des^ 

•  hnpiemeni  efTecOve  mlerl^  processing  procedures,  including 

0  mieriace  eirots  aie  relected.  isolated  and  collected  In  a 
timetv  manner. 

0  access  to  imer^ce  data  and  processes  are  pn^riy 
resljicted  Data  B  reliable  and  obiamed  only  fmn 
auuwnzea  sources 


For  federal  systene,  mST  SP  8(KI-63  iiH^lndes  Che  f<flowii« 
related  to  lnCei£ice; 


SI-10  Moimatlon  Accuracy,  Completeness,  VaU^ty,  and 
AiiOwntldtj' 

SI-11  Error  Handling  


CrtHfAl  Eh-mt-nlH 

The  critical  elements  tor  trterfece  controls  are: 

lN-1  Inqjlement  an  effective  interface  slf3tegy  and  design 
IN-2   In^ilement  etfecUve  Intet&ce  pioces^ng  procedures 

Because  weaknesses  In  Inteifoce  controls  can  affect  the 
achievementof  allof  (he  control  oltjecfjves  (con^leteness, 
accutacy,  validity,  and  conSdentlalltl'}  related  to  ^iplications  data, 
the  control  acSviUes  In  the  control  tables  foilnteiface  controls  do 
not  contain  refereiu:e  to  qiecific  cfflitrol  objectives. 


Critical  Element  M-l.  Impieinent  an  ellective  interface  strategy  and  design. 

mleifaoe  strategy  is  the  basis  for  the  interface  design  and  scope,  n 
Inleil^  strategy  Includes  an  explanation  of  each  Intei&ce,  the 
mterfece  metfaod  chosen  (manual  orbatdi,  stc.'),  the  data  Gelds 
beu^  interred,  the  cmtrols  to  leasonably  assure  that  Ute  data  is 
Intei^ced  comidetely  and  accurately,  timing  requirements, 
assignment  of  re^KHisibilities,  on-going  syElem  balancing 
lequiremems.  and  security  teguirements.  Interface  des^  uses 
guidellrtesset    the  strategy  and  provides  spedflc  Information  tor 
each  of  the  diaracteristics  defined  in  the  strategy. 


Critical  Element  IN-2.  Ir 


include  balancing  bv  ensunng  the  openuig  balance  cmiliol  totals 
plus  processed  transsclions  equal  Ibe.  closing  balance  (rfcontiol 
totals.  Both  the  applications  Csource  and  target}  are  ^ically 
deEigned  with  controls  so  that  data  are  controOed  by  the  use  of 
control  totals,  tecotd  counts,  batching  ran  totals,  ot  other  data 
logguig  techiuques.  These  tjrpes  of  controls  are  commonly  referred 
to  as  balancing  controls.  Records  or  data  produced  by  one 
ai)plicai[oniTi:iy  hp  used  in  another  application  and  may  have 
dp]>i'ri']i'iii  L.^s  l[ial  ,iti'  leased  upon  the  sequential  processing  of  data. 

iiil'iMii.   I''   >i4>Mrce  and  target  apphcations. 


•  It  the  interface  ls  run  on  a  regular  schedule  to  process  data, 
cither  niynuylh"  or  autonmlicallv.  documented  procedures 
i'\pliiiii  liim  iliih  1^  iieifonueil.  iHcludu^  controls  tn  place  lo 
ii  ;i'.(i[iiihK  ,L~~mf  liiai  all  processuig was con^jleted. 

•  .'^ii  iiiU'il:K-i'  firori'^Miic  lofi  IS  maintained  and  reviewed  for 


prores^,inn.  Tvpes  ol  mfoiinalion  Uiat  should  be  considered  for 
loiffiiiH!  are  descriptions  of  any  errors  encountered,  dales 
identified,  anv  codes  asuocialed  with  eirois.  any  corrective 

•  Procedures  are  In  place  W  use  the  conect  generatlon/cyde  ot 
Gles  for  processing.  This  m^  include  the  generation  of  backup 
files  from  processing  to  be  used  for  disaster  recoveiy. 


Audit  trans  are  goieiated  duniig  processing.  These  audit  UaOs 
snouldbe  logs  or  reports  thai  cont^  Inftmnatlon  about  each 
mter&ce.  Dalathatanoiildbemcliided  are  who  uubai^d  each  a 
the  intei&ces,  the  data  and  time  of  ttie  mn.  {hp  suurn-  svstem. 
ana  the  Insults. 

Procedures  are  Implemented  to  ideniia  and  cun-fi'i  jmv  pmirs 
that  occur  during  me  mier^ce  nin.  Eiioi  ii^ikiiiiilj  DLOcediires 
durmg  dam  entry  *ould  reasonablv  assure  tliiU  ci  iois  and 
kregularlties  are  detecieo,  rpimnwi,       l  onwu'ii.  Knors 
should  be  corrected  iniue  source  svsieni  and  lecrocessed 
UUTturjlllin  IICXI  lull  IvijiriJi!!  mm  III]  ii.'im'  inn^'i'ilNii"^  in 


1  procedures  should  inciuae 
riijiriiie  it-uiiesiM.  ;iiurinrrAruii)fi.  iiriii 


4.4  Data  Management  System  Controls  (DA) 


sotai  as  edu  chedis,  existence  dietks  anu  threshoids  desonbed  in 


Critical  Element  DA-1.  Imj 

When  assessing  the  effectiveness  ot  aDpiication  controls,  tne  auditor 
^uld  evaliiate  Amcuons  of  diUa  niaiu«emc9it  systems  siied^ 
the  buanees  pnxxsses  uiuler  rwiew.  in  addition  lo  the  general 
controls  descdbed  in  Chapter  n  When  auditors  are  evEduatuig 
ijitiucauon  secutils  plans  and  mdependenuv  aasessuig  risk, 

a  h 


IS  highhghts  certain  kev  concepts  the  auditor  considen 
ta  man^^emeni  systems,  Includli 
IS.  middleware,  ciypttjgi^hy.  da^a 
waidiDuse.  and  data  repottu^daCa  eictiaction  softime. 


Key  Coneepts  -  Database  Management  Systema 


:  S]ist^  9houU  include  constdenition 


'    Diceetlj.  via  liie  dalabaae  nian^emert  system; 

i  imriivn  iK^rc'SS  iiiii.ris  i;i<'irii;iii'(i  iiv  i.ni'  !]i][Mir;il}onj  or 

■  database 


•  EnfbrcemenLof  muqueaccomtts  for  each  adnunistralor;  and 

•  Effective  monitoring  of  privileged  account  use. 


ilcni  pliiys'in 


GeneraUv.  tliere  are  two  methods  of  auUienlication  using  a  data 

generic  ID  to  authenticate  to  the  database  on  behalf  of  end-userg. 
inese  genenc  IDs  should  have  their  access  inivileges  carefully 
scr^^d  to  oidy  provide  access  to  what  the  Inkiest  level  of  end-user 


B  pemutted  to  access,  Thei«shoiiMbealiniitedinnnb«iofgenenc 
IDs  wWiln  the  ilatahiise  supported  bv  weU-docranented  and 


systems;  however  Ihev  are  slU  u&etl  m  some  iiioclem  apphcauoiis. 
Bach  diffeient  hieiaichical  database  product  e  propnetarv  in  design 
and  Ingjlementation.  If  achieving  audit  oiyectives  mvolving 
hierarchical  databases  is  a  lequireinent,  sta^  with  knowledge  ol  the 
^ciiic  database  product  will  be  necessaiy.  Relational  databases 
(such  as  Oracle,  DB2,  and  SQl^Server)  share  a  common  des^ 
based  on  relational  algebra  and  a  common  data  access  method, 
calledtheS(TucturedQuervlanguage(SeLl,  While  there  are 

database  products,  they  are  similar  enoi^  that  staff  should  be  able 
to  perfbrm  audit  work  mmoat  relationBl  database  systems  with  a 
comnuaisidllset  Thediscus^onintliischapteTwilllbcuson 
relaHiaial  database  systems. 


'nierearetwo  categories  of  commands  available  through  SQI^  data 
deSninon  language  statements  (DDL)  and  data  man^ulation 
languagestatements(DMLJ,  DDL  statements  are  used  to  define  and 
after  the  structures  or  objects  that  contam  and  suj^rt  access  to 
data.  DDLstatenienlsareisedtocreate,allerand  delete  objects 
such  as  tables  and  indices.  DHL  statements  are  used  to  retrieve, 


Apfiinsliaa  end-usets  would  not  locally  need  to  use  DDL 


■n.  Role,  OliJect  Prtfileges 

Aiiset  privilege  is  ati^ 
Queiy  Language  (SQL)  i 


//.  IJiiTi'  )iri'  I 
management  svsiem  pnvueges:  system  and  o 
bv  useis  I  usually  adnunistraiois  J,  and  ai«  ust 
unviieiu.'.4iti'rimi>r  pmva  i  tk^v  iinf  u  nicfiuis  ui 
i^niiinitki oi  iiiMiiirtii' rtriviKiui?; i' litis iimis<i 


p^vHiiirri  iinviiiiLMS  wniii'  ul'Iu'I.ii  '.'  i  ' '.'  iii<  i  lu'  r  'u 

airtflss  CO  bvhb'iii  oiiviu'cj^s 

Obiect  privileges  (tiirouBh  uml  staienienis  i  allow  tht  user  lo  nave 
access  CO  ine  (una  minm  an  ot^jeci  or  auow  uie  user  lo  exeeuce  a 
stored  program.  These  inchliJe  S^EOT,  INSERT,  DELETE,  etc. 
Each^e  of  oliiect  has  difEerenC  privil^es  assodatednllh  it 
Examples  of  database  objects  include  the  following: 

•  Tnbles  -  A  data  stnitluit  containing  a  collection  of  rows  (or 
reconl&)  that  have  associated  columns  (or  fields).  Kis  the  logical 
tqiiivaicnt  of  a  database  flic, 

•  Index  -  A  database  object  that  provides  access  to  data  in  the 
rows  of  a  table,  based  on  key  values.  Indexes  provide  (iiiitk 

•  Triers  -  A  special  fotin  or  a  slored  procedure  that  is  canleil 
out  auttmiatically  when  data  in  a  specified  table  is  modiHed 
Ttlggeis  are  often  created  to  enfbice  refeienlial  integii^  or 
consistency  among  logically  related  data  tn  dlfteient  tables. 


'  stored  procedure  -  A  precompiled  coDecbon  oi  SQL  or  other 
staiemems  and  optional  controi-of-flowsCaCements  stor^  undei 
a  name  and  processed  as  a  uiul  mored  procedures  are  stored 
within  ad  h  rem 

^ipU  at  tlonal 


eiialilpd  101-.1  a^f,  belaie  it  ciui  He  iisf  d  by  the  user.  Predefined 
roie^  exist  that  can  iiu  [ci'craacd.  sucn  as  Che  data  liaae 
a(iDiini3iran>r[u  a,  jiRaj  roic. The aiiuitor should revieuf the 
privneaes  atantea  to  eacn  roie,  and  men  analyze  me  roie{s  h  granted 
to  each  user.  Roles  mat  giant  high  level  access,  or  permit  direct 
manipulation  of  data  in  the  database  are  veiy  sen^Qve,  The  auditor 
should  evaluate  controls  over  the  use  of  such  roles. 


diitii  iiianagenieTii  sjstf.'ni.  These  pnigranis  ciin  be  executed  direct!)' 
by  a  user  or  they  can  be  caLed  by  odier  progianis.  Most  data 
management  systems  arc  prepackaged  with  stored  procedures  tbat 
provide  a  structured  and  controlled  mettiod  of  adnunisterlng  the 
dalabase.  For  example,  when  the  adminiatrMor  creates  a  user,  the 
database  managsnent  system  uses  a  stored  procedure  to  perform 


the  steps  necessaiy  to  ci«ale  lliai  account.  In  addMon  custom 
stored  procedures  can  be  created  to  support  adCUtlanal 
tuncaonalitv.  The  auditor  should  review  stored  procedures  thai 


Key  Concepts  -  Midd 


itie  cnmponeius  together  is  oflen  accoiuphsned  through  tJie  use  of 
^)edahzed  data  tcm^it/corarumcanons  software  commonly 
known  as  rmdillenare.  Apopular  esampieot  this  tjiie  of  software  la 
IBM's  MQSenes,  Middleware  is  used  to  connect  ^iphcations 
logemer  m  varying  arcHtectores  Including  interconnected  systems 


error  detection  and  correction  iScuiues,  Miuuieware  can  also  be  an 
Irr^nant  aspect  of  an  aKillcation  s  cont&itdiv  of  opeiatlons, 
bemg  conGgnred  lo  siqiport  multiple  data  paths  lo  eliminate  single 


Middleware  ControlB 


[KU.WlflFn  JUhlMIC'JII.Ioll  L'1»lhlioll4>]M.'J.  (11  ll'll  Si  tl)l1MI'V4'P  4  rl  ^1 

eranponein  logginE  onwi  a  "oaoK-enu  host  anu  (latauas 
management  system.  An  appucaiion  s  conirois  oEten  ri 
encrypted  tiansnussion  oi  iniormBtion  between  compo 
protection  may  be  a  function  oi  the  imDiemeniation  ot . 
sometimes  m  coiyimeuon  wum  how  me  cnanneis  are  ci 
Across  Ihe  network.  As  wiui  other  aata  nianamnent;  si 
audiiois  snould  identic  cne  staff  with  admlnistiative  at 
pnvueges  to  middleware  and  venfy  that  appropriate  eo 


Key  Concepte  -  Ciyptogriatli  \ 


wvond  iiic  wiiiKMii  iiiiiaiiaiigtiidance.  When  It  Is  necessary  to 
evaiiime  me  eiipciiveness  ol  ciyptogr^hicconlrolB  to  adueve  audit 
obii'ctive;.  tilt  iiuditor  should  oblam  the  services  of  adeieiately 


Key  Concepts  -  Data  Warehouse,  Data  Hepoituig  and  Data  Extiaction  Software 


IncreasiDgly,  modem  J 


1  are  parts  of  larger 
stores.  This  is  certainly 


Uie  I'.'isi'  vvil.h  K\il'  I'liviK'  iciiih.  liiil.aINO  ifi  rjie  ifrfiiiu  ol 

imercotuieciea  ana  mienacea  svsKms  jmi  sappiv  tntoimanoii  used 
Kir  DurriRscs  di'vcimci  Eih'  jiLri)ii<iij.ioii.>^  [M'liihfiiT  iiii'mmi'^^h  I  linn  loll.  i\ 

lnIoiiiaiuonateiiiieciuresisineiiaiawMi>>Ji'i  .'-  -mi.  ii.  iii'. 
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data  warehouse.  Important  quesdons  related  to  audit  objei^ves  and 
system  boundaries  need  to  be  addressed.  Unless  the  data 
wiirtiiuaw;  iisfii  is  iiii.'  suuiui.i  oi  tne  iiutni,  iiiii  Ji.iii.v!ini;i.i  lu  UK 
iiiiiiii  iii>ii'niviiis  jirici  iiDuini.iJii  finks  cfiuli/iii  jiv  i.nii  iiiiui  wimiiioiiisi' 
need  m  be  identified  and  evaluated.  Eance  a  data  waiehotse  may 
lepKBem  a  copv  oi  InfomuUlon  from  oinei  systems  that  aie  patt  oi 
iiiiF  iiiiiiiu  Jiikv  iiiiiJMTdriiKiiFrii.iiiiii.v  i^iimiinv  win  iikifiw  riiFiii] 
coAsideiati[>n.  Additionally, the audltormajineedtonnu^lotlally 
ondeistand  bow  ttte  enUCy  uses  me  data  waiehouse.  In  a  flnimdal 
IIIIIIIU  iJK^juiiiiiJir  iiifLV  iiriii  i.iiiii,  iiriiirK^uu  suiunriiFriis  rriiiv  ek^ 
prepared.  In  part,  tnm  the  data  warehouse  Instead  oi  directly  from 
me  general  ledger- 

A  data  warehouse  typically  exists  lo  fecuicaie  anaivsia  ana  reoornng 
fnan  a  large  quantity  oi  data.  Siqmortmg  ine  efticieni  use  oi  a  oaia 
irardtnuse  will  often  lie  ^KCialized  data  leportme  ana  data 
estnictian  software  tools.  The  existence  or  i.he?e  tools  and  data 


Segrsgadon  df  Duties 


The  auijitur  should  iilso  ev-aluale  lire  stgitS'tw^i  IclKfun  (In-  (ii.ta 

reviewing  audit  and  transactirai  Ti^.  The  dalamBnagement  sjstera 
administrauir  ^ould  nol  have  itccess  to  the  audit  logs  wlChln  the 
data  management  system.  ThEse  logs  should  be  reviewed  by  a 
security  adndnistiator 

There  should  also  be  a  separation  between  the  functional  aspects  of 
the  data  management  system  environments.  Data  man^ement 
system  access  should  be  consistent  with  ihe  tmictional  separaUon  of 
duties  within  the  ^^lication  environment.  Users  that  are  developers 
should  have  access  to  the  devetopment  envltomnent  only,  and 
consequently  only  the  development  data  management  system.  Ibeis 
that  require  access  to  production  should  only  have  access  to  Ihe 
production  data  management  system. 


Control  Tedinlctues  and  SuggestedAoiUt  Procedures  lor  CMtical  F.l 


Bchievementof  allot  the  control  objectives  (completeness, 
accuracy,  validity,  and  confidentiality)  related  to  ^pUcations  data 
the  control  actlvilies  in  the  control  tables  for  interface  controls  do 
not  contain  reference  to  ^lecific  cffliljol  objectives. 


r 


Appendix  I  -  Information  System  Controls 
Audit  Planning  Checklist 


Hie  auditor  should  oblain  and  document  a  pteliminaiy 
mdcistanding  of  the  design  of  the  endty's  infoimation  system  (If 
controls,  including 

•    Understanding  the  enliO''s  operations  and  key  business 

«    Obtsintt^  a  genera]  understanding  of  the  structure  of  the 

entity's  networks 
■    (^jlainingaprelinunaiy  understanding  of  IS  controlSr 


In  addition  to  this  checklist,  the  au 


<n  relevant  reports  and  oilier  doemnenls  eoneeming  IS  that  ate 
issued  by  or  about  the  entity. 

To  feciUtate  this  process,  the  following  checklist  has  been 
developed  as  aguide  for  the  auditor  to  collect  preliminary 
information  bom  the  entity  al  the  start  of  the  audit.  This  checklist  is 
intended  as  a  starting  point  for  coHecting  relevant  IS  control 
lofonnatkin.  The  information  request  can  be  tailored  M  the  ^e  of 
audit  being  performed,  For  example,  an  audit  of  appKcaCion  controls 
could  be  Hunted  to  the  information  needs  listed  in  Sections  I,  n.  and 
IV.  The  extent  of  the  information  requested  from  the  entity  will  vaiy 
depending  on  whether  this  is  a  fitst  year  or  Eollow-up  iwlew  of  IS 
controls.  Also,  as  a  result  of  the  auditor's  initial  review  and  anai}^ 
of  the  informalion  coUeded  in  this  process,  additional  detailed 
infonuatian  rn^  need  to  be  subsequently  requested  from  the  entiQ^. 
The  checklist  ts  oiganiied  to  request  inforraallon  to  the  entity's: 

•  or^auEAationand  key  systems/apphcalions, 

•  pi^or  audit  reports'dacuments, 

•  15  general  contmls,  and 

•  IS  business  process  application  level  controls. 

This  appendix  is  downloadable  as  a  Microsoft  Word  ®  docurneTit  on 
http://www.gao.gov/special.pubs'fiscam.htnd. 


riT.iivs  ori(:iiM:'jii.ion 


naiion  includes 


sgistem  and  veislon.  Note:  P1£UA 
leQuu^fi  asencas  lo  mainlam  an 
mveniory  ot  all  major  ^istems. 

1.  Name  and  Amcaonal  desd^Uon  oi 
relevant  operaOng  envmHiments  lej 
general  siqipoFt  systems  c  Gab  j), 
including  locafions. 


6.  IJsl  of  conCradors^third  parlies  or  other 
goveninieiital  entities  that  process 
infonnation  and/or  operate  systems  for 
or  on  behalf  of  the  entUj, 


ingilsnented  within  (tie  recent  paet 
{e*,  withm  2  years)  or  planned  wittun 
Oie  near  future  (e.g.,  2  years) 


1.  Ihtemal  or  third 


2.  Ttieenti^'s  prior  FISMA  or  equiualent 
entiOr  r^rts  on  IS. 


3.  The  enliljr's  BimuBl  performance  and 
accoiinlabilHy  report  or  equivalent 
reports  (e.g.,  reports  prepared  under  the 
Federal  Financial  Management 
hr^irovement  Act  of  199S  (FFMIA), 
Federal  Manners'  Flmnclal  liit^rity  Act 
of  1SS2  CFMFIA),  Government 
Management  and  EefOrm  Act  (GMRA) 
and/or  Accounlahih^  of  Tax  DoHarB  Act 
of  2002  (ATDA),  as  applicable). 

4.  Other  reports  hy  management,  including 
privacy  impact  assesamenla  and 
vulnerabihty  assessmentSr 


process  application  controls  at  the  appucation  leveL  ijeneial 
cotitiois  include  secuiliv  management,  access  controls, 
cffluiguranon  managemeni,  segregauon  oi  ouaes,  ana  conongency 
planning. 


m.  1  IS  General  ContKita  -  Security  Management 

Secuil^  management  provides  a  fiantework  and  continuing  cyde  of 
aclivllyfbrniana^ngii^  developing  secuntypolkaea,  as^gning 
re^xniaibilitiea,  and  luonitoring  tlie  adequa^  of  the  enth^'s 
coaiputeT'Telated  controls.  The  program  sfaoidd  idlect  Sie  entity's 
consideralion  of  the  following  critical  elements  fbr  security 


management  -  established  secun^  management  ptogram,  pelkidic 
nsk  assessments,  documented  aecunly  polidea  and  proceduies, 
Established  secnnly  awarenefis  tzammg,  and  periodic  monaganait 
testing  and  evaluation  of  major  systems.  Other  elements  include 
in^emenUng  eSective  secunQ'-related  peisonnel  policies  and 
ensunng  that  activities  performed  by  external  third  parties  are 
adequately  aecore.  Relevant  infOrmationfoF  this  control  category 
includes  the  foUowii^ 


0MB. 


rtlev.mt  8V5tcnis  (e.g.,  GSS  and  m^r 


4.  Documented  security  plans  for  relevant 
systems  Ce.g.,  G3S  and  mgjor 
^ipbcations  bemg  reviewed). 

5.  Entity  peifOimance  measures  and 
compliance  metms  for  oiomtormg  the 
security  processes. 

6.  Management's  plans  of  actions  and 
milestones  oitheli  equlvatent  tiiat 
idwt%  corrective  actions  planned  to 
address  knoim  19  weaknesses  and 
status  of  prior  year  Becunly  findmgs. 


7.  Bolilywide  policies  and  procedureB 


slructure,  muj  reaponsibililies, 
includli^  system  Inventories 

employees,  contiitcto:s.  third  parties 
(including  those  m  sensihve  secunty 


nxmitormg  acCmtiES  of  third-pai 
providers  supporting  spedlic 


uanon,  ana  mcuineB,  uiaoequaie 


relabllSly  of  conqmterized  infOtmation  and  incnase  the  risk  of 
nnaulhoiiiCd  disclosine,  modificatiisi,  Emd  destnic^^ 
infomialion  and  disiqition  of  service.  Acces  cmhiItoIs  inclade  those 
related  to  protecting  system  boundaries,  user  tdentitkation  and 
authentlc^lon,  authoiizaUon,  praCectlne  sensitive  syEdem  resources, 
audit  and  monitoring,  and  ph^csl  aecanis.  Relevant  infOrmaHon 
for  fliiB  control  category  includes  the  following. 


1.  Hlgb-level  network  schematic  which 
identiCes  external  neiworii  ctiineetionE, 

contractor  sites,  and  other  external 
or^anizations- 

2.  Network  scheraalic  of  all  GSS  (by  site) 


•  intJLtsion  detection  systems, 

•  criticalsyslems,  sucbaswdjaiidaii^ 
serveis,  flte  tiansfer  systems,  etc. 

•  network  management  systems 

•  cormectiTi^  with  other  entity  rates  and 

•  remote  access -virtual private 
networks  and  dial-in,  Bud 

•  vrireleas  cormeclions. 


>  documentation  <tf  basic  securtQr 
configuralirsi  Eetbngs,  i.e.  mnaowi 
miNifii.  I  priiy.  m\ 

ne  systems 


*  IPaddressee, 

•  descrqilionBnduseofeachLPAH 
conf^uratkinOiroilncliisi  4  non 
productlon)Jncludlng  Ust  of  user 
^ipHcBtioiis  and  software  installed  on 
eachLPAR  and  descriptjon  of  any  tesi 
or  development  activity  in  each  LPAR 


5.  EiitStywide  policies  and  procedures  lor 

•    <  I.riilliiiu  n  II'  uiTi'nn  M  atiuv 

 >nivii.i"n,ini'iiimiiy,ii.W0i 


I  loonltorliig  maln&anie,  lnld4evei 

mcideoB,  mciiiding  managenieni 
re90R9e  and  repordi^  on  unusual 
activities,  Intru^on  attenv>ts,  and 

.   corttrolling  physical  secanty. 
Including  those  concemlng  the 
granting  and  controlling  ot  phyBical 
access  to  the  data  center  and  other  IT 


ConGgiuHbon  maiiBganeiit  invoivea  the  identiGcalionBiid 
management  oi  security  reatiires  lor  all  nardware  and  software 
components  of  an  InfOtmation  system  at  a  given  pomi  and 
^yatematicaUy  controls  changES  lo  that  configuration  during  uw 
system's  life  cycie.  av  implementing  connguration  inam^emem;. 
organizations  can  ensure  mat  oniy  aucnonzed  applications  and 
software  otogiams  ai«  piacea  into  oroducnon  Chiough  estabMikg 
and  mainLaining  baseline  configursuons  and  morutOFmg  changes  m 
mese  coimgurauons.  (jomigurauonrnan^emenimcludeB 


including  the  approval  and  testing  of 
scheduled  and  emergency  changes, 


aiithonzuig,  testing,  approving,  and 
tracking  all  configuration  changes, 
roomionng/auaioi^  me 
eont^uratJon, 


le  likelihood  that 
ie  the  activities  o 
on  the  activities 


1.  Entitywide  poHdes  aniJ  procedures  tor 

•  segregatuig  duhes, 

*  penodicaJly  reviewing  access 
aulhorizaQora. 


deteimme  that  conlrol  techniques  tor 
segregating  Inconpatlble  dunes  are 
functioning  as  inrended. 


1,  Bntitjwide  policies  and  procedui«s  tor. 

•  assessing  the  avaOablliCy  needs  of 

enljly  systems, 
•   backing-ifli  data,  programs,  and 

soSw^,  aiid 

controls,  Inchidlng 


detectJiai  and  reaponse,  hardware 
niantenance  and  problem 
lozuu^emene,  alternate  work  sites, 


Cetdflcatlon  apd  accreditadon,  oi 


2.  Documented  secunly  plans  for  relevant 
applications. 


3.  Dcxnunentedri^i 


4.  High-level  schematic  of  apphcalion 
boundaries  that  identifies  controUed 


*    firewalls,  routers,  and  switches. 


and  oUier  external  oisanUanons 
remote  access -virtual pnu^ 
networks  and  dial-m.  and 


S,  birentoly  of  mid-level  systems  CIAilx, 
Windows,  etc]  BigqiMmg^phcationa 
bemg  reviewed. 

•  secuim  softwaie/veisions, 

*  list  4^  systema^pphcations 
siq^Kirted, 

•  datasetnammgconventionsforthe 

con^uratuH^  Dtilnv  software, 
ifliplications,  and  seciirliv  software, 

*  documentation  <tf  basic  secnri^ 
conf^uratkai  setSngs,  Le.  Wndows- 
based,  Unix. 


0.  Inventory  of  mBjnfranie  systems 

siq^rting  appaataore  bemg  reviewed, 

IIKMIIIIIIIU 

•  iiDPini.iiu'.svsiriii/voisjnn.s. 

•  stHiiiniv  siniwmiwcijJioiis. 


vare  instaUed 


<'1Htllk!lli;MI(]tK  IJI.ILIIV  SItll.lVfllC'. 

applleaflons,  and  securiiy  soflware, 
load  ubrary      module  name. 


8.  CorrecOve  action  plan  for  identified  IS 

includir^  Itsdng  of  weaknesses 
corrected. 

8.  S^regatiiai  of  duties  control  raalnceB 
foi.Kib  functtons/respon^tdUties, 

lO.  ^ipbcation  contuigen^  iilan  and 
related  disaater  recovery.  buHmess 
conOmiiOr.  and  business  resumption 
plans,  mcniding  test  i«sulls, 

iL  Documentation  on  data  validation  and 
edit  CHECKS,  incluiuim  aiBUluig  ana 
monitorii^  processes. 


14.  Policies  aiid     m-diii-'^  foi'  irWv^nt 

.  securilyrequiremeiilsaiid 

monitoring  acliviiies  of  lliird-partj' 
pioiiders  supporting  relevant 

•  configuration  inanag«n«it  process 
Ht  the  apphcation  level,  mchiding 
the  approval  and  testing  of 
scheduled  and  emergencv 
application  progmm  ch^iges  and 
piocedures  to  ensure  compliance. 

•  backlng-up  relevant  application  dat' 


er  51e  data  configuratio 


16.  Documentation  descnbmg  system 
outputr  format  of  the  outpol^  and 
controls  over  the  oiiftlut 


Appendix  II  -  Tables  for  Summarizing  Work 
Performed  in  Evaluating  and  Testing  General 
and  Business  Process  Application  Controls 

audit  They  are  a  consolidaaon  of  the  tables  of  ciitical  elements, 
control  activities,  control  techniques,  and  related  suggested  audit 
procedures  that  are  included  after  the  discussion  ot  each  critical 
element  To  reduce  documentation  and  allow  the  tahles  to  be 
tailored  to  individual  audits,  the  tables  are  downloadable  as 
Microsoft  Word"  documents  from  GAO's  FISCAM  web  site  at 
http://www,gao^ov^edal.pubs/Sscamhtml 

These  tables  can  be  used  as  a  guide  during  intHal  interviews  and  to 
document  the  preliminaiy  assessment  of  controls.  As  the  audit 
pn^esses,  the  auditor  can  continue  to  use  the  electronic  version  ol 
the  tahles  to  document  controls  evaluated  and  tested,  test 
procedures  performed,  conclusions,  and  supporting  work  paper 
refeiences. 

Note:  The  fiisl  p^e  oflhe  lable  is  provided  lieldw  for  illu'<ln!(i[in 
purposes. 


Appendix  III  -  Tables  for  Assessing  tlie 
Effectiveness  of  General  and  Business 
Process  Application  Controls 


The  tables  in  this  appendix  are  provided  for  the  audiloi's  aee  in 
recoidirg  the  control  eflectiveneas  for  each  critical  element  in  each 
contral  category^  as  well  as  fomuilating  an  overall  assessment  of 
each  control  category.  Jud^ng  control  effecBvenesa  should  be 
based  on  the  results  of  audit  worii  periformed  and  assessments  of 
control  eSectiveness  for  specific  control  techniques,  as  summarized 
in  Appendix  n.  After  compledug  Appendix  HI,  the  auditor  should 
prepare  ananative  summarizing  tlie  contn:il  effectiveness  for 
^neral  and  business  process  controls.  The  general  control  nanalive 
^lould  also  state  whether  or  not  audit  work  should  be  conducted  to 
determine  the  reliability  of  business  process  controls  at  the 
^plication  level.  These  tables  are  downloadable  as  Microsoft 
Word®  documents  from  (SAO's  FISCAM  web  site  at 


General  Controls 


Setutity  Managonii 


Contingency  PLuining 


Business  Process  Application  Level  Controls 


Application  Security 


Data  Management  svstem  IjOiitrols 


AssesfflneotCs)  on  control  eHecttveness  involviag  cross-cutting  controls  Issues: 


e  (configuration  nianageii 
ive  been  idenliiied.  In  as 


Appendix  IV  -  Mapping  of  FISCAM  to  NIST 
SP  800-53  And  Other  Related  NIST 
Publications 


In  table  below,  F16CAM  b  nuy^  to  NIST  ^«cid  Fubllcaticm  (SP)  8ai>^ 

Individiial  FISCAM  gawral  and  business  process  control  activities  are  referenced  lo  related  NKT  800- 
53  controls. 


FISCAM  ControU 
Bfiii-rttl  fiontrnls 
Secnrity  HonagemeB 


ss  and  vaUdate  ilsks 


Bt-lrted  NIST  SP  >mWi3  Cnntmla 


PL2    System  Secdnty  Plan 

PLr3    System  SecuriOr  Han  Update 

PL-6   Secm«y-Belated  Activity 

Planning 
SAr2  MocatKm  of  Resoorces 


IlA-4  Risk  Assessment  Update 
See  first  control  for  each  fanulv 


SM-1  bnplement  effect 


FL-4    Rules  of  Behavior 


FiaCAMControla 


1.  fit^lement  ellective  security 
awareness  and  oOiet  seeiuily-ielated 
persiHinel  policies  (ccxiUnued) 


SM-;.  Monitor  effectiveness  of  thi 


M-T.  Ensure  that  activities  performed 

external  parties  third  patties  are 
adequately  secure 


Access  Contrals: 
AC-1  Adequately  pr 


Personnel  Security  Policy 
and  Procedures 
Position  Categorization 


AC-20  Use  of  External  hifomiation 

MAA   Remote  Maintenance 
PS-7    Hurd-Party  Personnel  Security 
SA-O    External  Information  System 
Services 


natioaFlowE^rct 


FiaCAMControla 


HBl^d  WIST  SP  80tMi3  Cnfltrolg 


AccesH  ControlH: 

AC-1.  Adequately  piotect  tnbmiatlon 
Systan  boundaries  CcmlinDed} 


AC-11 
AC- 12 
AC- 17 


System  Use  NotMcMion 
PieviOiB  Logon  Notification 
SesraonLock 


FiaCAMControla 


Helatal  MIST  SP  aO<Mt8  Oontwib. 


«sa  GoDtrolB: 

2.  Implcmenl  effi 
and  authenUc: 
i^conunuea) 


ACM.  Adeijualely  protect  se 


FiaCAMControla 


KriaUHl  MIST  iiP  mo-US  CmItoIs 


AccesH  ControlH: 


iiE-z     ihCKieiii  Kespoiise  Tiaimng 
K  Tattng 

IK.'i  liK'iiliMil.  Uoiilloriiiu 
IE-6  Incident  Reporting 
IR-Y    Incident  Response  As^stance 


FiaCAMControla 


Belatfid  MIST  SP  Sn0-H3  CiMtrote 


AccesH  ControlH: 

AOS.  br^ilement  an  effective  audit  and 
monitoring  c^^ability  (continued) 


Denial  of  Seivlce  Protection 

Infonnalion  Astern 

Monitoring  Took  and 

Teoiuiiques 

Sf  nitity  Functtanality 


AC-6.  Establish  ade>Tiate  physical  ae 


CM-1.  Develm  and  docimiCTt  CM 


Aiithoriiation 
PE-3    Physical  Access  Control 
PE-4    Access  Conliolfor 

Transmission  Medium 
PE-S    Access  Control  tor  Dl^il^ 

Medium 

PEr6    Monitoring  I^iymcal  Access 
PB-7  WsttorCootiol 
PE^    Access  Records 
PE-16  Deliveiyand  Bemoval 


Policy  and  Procedures 


identiGt^on  information 


CM-3,  Properly  authorize,  test,  approve, 
track  and  control  all  configuration 
chaises 


SA-3    Life  Cycle  Support 

SA-4  AapdsitionE 

SA-S  Securi^Er^hieeringPrincftiles 


FiaCAMControla 


KalattMl  MIST  SP  lW(Ki3  Bonttolii 


CM-3,  Fic^etiy  autbodze,  teat  nnnravc, 
and  tiai^  all  configmatiai  changes 
(continlied) 


(j.  Ajjpigpiialely du<:uinentan(l 
approve  emergency  changes  to  the 


onnguralion  Ch^mge  (Jonlro 


FiaCAMControla 


KelaUHl  MIST  SP  BUD-M  CmItoIs 


Contliiiiil;  Planning; 

CP-S,  Take  steps  to  prevent  and  mliilinlze 
polentia]  damage  and  intemqitiDa 
(contiinied) 


P&IO  Emeigetu^ShutoS 

PE-ll  EmMEency  Power 

PE-]2  Emergency  Llghtnng 

PE-13  Tlie  Protection 

PE-14  Temperstiire  and  Humldi^ 


Istei  Dan 


:e  Protection 


CP-2    Contingency  Han 

CP-6    Contingency  Plan  Update 

CP-S  Telecmmnunicalions 


CP-4  Conliiigency  nan  Testing 
CP-6  C<intingencyHanHidate 


FiaCAMControla 


KelaUHl  MIST  SP  BUD-M  CmItoIs 


The  related  NIST  SP  800^3 
application  level  general  conttols 
are  identified  under  related 
General  Controls  above. 


Si  ll   Error  Handling 


Si  ll   Error  Handling 


FiaCAMControla 


KelaUHl  MIST  SP  BUD-M  CmItoIs 


ButinesB  Process  Controls: 


accutate,  valid,  and  confidenlial 


BP^,  Master  data  setup  and  maintenance 
is  adequately  i^liolled 


IN-L   Inclement  an  effective  interface 
strategy  and  design 


S  racy, 

uompteieness.  validity,  and 
Aulhenlicit; 

Sill   Error  Handlii^ 


proces5Uig  procei 


KelaUHl  MIST  SP  BUD-M  CmItoIs 


FiaCAMControla 

DA-1.  InplemenC  xn  etfecQve  data 


In  tbe  taUe  bekm,  EISCAM  general  and  bnsiness  process 
JVpUotlan  level  controls  are  lupped  to  reUted  NI8T 
pubHcalions. 


FISCAH  Controls 


Related  NIST  Publications 


ni-s  IN    "11  NM  SI 


3.  Document  :uid  implemt 


vai>-i2.  sou- 11.  sou- IS,  sou- IS, 
01)0-23.  m)-25.  soo-^  soo-ao, 
auu-ai.  aou-a4.  sou-as.  sou-afj. 

ftOIWT,  80041, 80042, 80044, 
80045, 80046  SO&flO,  80&53A, 

80fr6i,  m<m,  aoofii,  soo-65, 

80tt66, 800-72, 800-73, 800-76, 
800-79, 80tt83, 80^84, 80a«6, 
BOOST,  8008S,  80082,  BOOM, 
800-100  


SM-4.  Implement  effecUve 
securily  awarpness  anil  ot 
seouriij-related  peisonnrl 

SM-5,  Monitor  the  eEfettii- 


SM-6.  BffecliTOly  remediate 

SM-T.  Ensure  activities 
peifOmied  by  external  ttdid 
parlieB  are  adequately  secure 


Fips       MWT  yi>»iij-ij,  m- 

17, 800-10,  800-20,  800-22,  800-^ 
800-24, 800-26, 800-31, 800-35, 
800-36, 800-37, 80040, 30042, 
80(M4, 80M5, 80046, 800-51, 
eOOeSA,  80055,  eOCWe,  800-76, 
800-7B,  800-83, 800-^  800-^B, 

~  NISTSP8"0-lS,800-,'iO,800-37, 


FTPS  201-1,  NISr  SP  800-18, 
24, 300-28, 300%  300-11, 300-44, 
80O46, 80(M6, 80(147, 80048, 
801154, 80(158,  mom,  SOdflS, 
80I1-70, 800-73, 80O76, 80O77, 
80O78, 80O82, 80O83, 30O«7, 


General  Controls:  A 


AC-4.  AdequUely  protecl 


monitoring  capabibtv 


FIPS  200.  NIST  SP  SOO-12.  a 

H.  snu-iH.  sou-n.  sou-ai.  aoMn. 

80042,  aOO-M,  300-45, 30048, 
80(W9. 80O50. 800B2, 800-54, 
800*1.  S0O66. 800-68, 800-72. 
80O81. 80a«3, 80034, 30036. 
80O89, 80002, 30094, 300-S5, 
BOOIOO,  SOO-101  


FISCAM  CodtTOla 

General  Controla: 
Con/lnuratlon  Uanaaemenl 

CM-a.  Maintain  current 

NIST  SP  8003.5, 80040,  80043, 
80014,  SOO-Llj,  800-48,  800-48, 
800-54, 800-(i8, 800-70, 800-81, 

NIST  SP  800-12, 800-14, 800-21, 
800-23, 800-27, 800-30, 300-31, 
80033, 80034, 80O35, 80O36, 
80O64,  SOOeS,  80O76, 80O8&A, 
SOOSEB,  eOfyOi.  80O9T,  80O98 

CM-4.Roudne1y  mcmitt^  the 
confljwadon 

NIST  SP  800-19, 80OS1, 80044, 
80O57, 30O66, 80OS3, 800-94 

CM-6.  VrOate  softirare  ona 
timely  baEds  lo  protect  against 
known  vubieiabililies 

NIST  SP  800-10, 800-24, 300-28, 

80042^  30043^  30044^  30045^ 
80040, 80O51, 80O58, 800-61, 
80O6B,  80O83, 800-34 

CM-6.  Approprialelj'  documeHt 
and  ^iprove  emeigency  changes 
to  the  configuralion 

NIST  SP  800-40, 800^  80O44, 
80O46, 30O46, 300-48, 300-54, 
80O68, 80O70, 80081, 80O82, 
80OS3 

FISCAH  Controb  ReUted  NSTT  PnblkatloiiiB 


GeaeFol  Controls: 


iP  800-12, 800*6, 80im 


N  1ST  SP  80(H2, 800*6, 8(Xt08 


CP-1.  Assess  the  criticBlity  and  FIPS 199]  METT  SP  800-30, 80O 
sen^tMtv  of  con^iteed  3T.  800^,  800^,  800^0, 800*6 
operations  and  Identic 


CP-2.  Take  steps  to  prevent  and  HIST  SP  800-12, 80O21, 80O24, 
miminize  poteolial  damage  and  80020, 80O34, 80O41, 80O43, 
inlemiption  80O44,  S0O45,  aOO«l,  800^7, 

800^  80O66, 80O69, 800-81, 


FISCAH  Controb  ReUted  NSTT  PnblkatloiiiB 

Buaiaeaa  Proceaa  Application 
Lenel  Controls:  ^pttcatlon 

Let^el  General  Controls  

nun  ■Ill  I'liciTivr  For  AS-l-AS-6 controls,  the 

.III  h  III.  '.i']iii?iit  reL-itedNI^publicaliansare 

identified  under  related  General 
__  Coiitrols  above.  


tr 


Buaineaa  Process  Application 
Level  CoiUrolt;  Basinets 
raceaa  Controls  

P-1.  Transaclkm  da*a  input  is      NIST  SP  SOO-44,  SOO-57 

Hnplele,  accurate.  vaBd.  and 

confldenBal  

^.  Transaction  data  NIST  SP  800-44, 800-57 

processuig  is  compLele.  accurate, 

valid,  and  confidential  

BP-3.  Transaction  data  ouftiut  is    NIST  SP  B0(K41, 80057 

;()TIMMIMI\  ID '('lining  Villi  CI.  II  nil 

;i)T>lllhillillll   


FISCAH  Controb  ReUted  NSTT  PnblkatloiiiB 


Buaiaeaa  Proceaa  Appttcatkin 
Lenei  Controla:  BuaUtesa 
Pncees  Coalntb  


BP-4.  Master  daw  setup  and  NIST  SP  8f3M,  80057 


Business  Process  Application 
Level  Controls:  Interface 
Controls  


IN-1.  [mylcroent  aii  effeWive         NIST  SP  8(HM4, 800^7 

IK-2.  ImplemHit  effective  NIST  SP  SO&M,  SOttOT 
interface  procesgnm  procedurea  


Business  Process  Apphcatlon 
Level  Controls:  Data 


DA-1.  Implement  an  eEfeutive 
strategy  and  dcaw  


Appendix  V  -  Knowledge,  Skills,  and  Abilities 
Needed  to  Perform  Information  System 
Controls  Audits 

Infcmnatioii  system  (IS)  controls  andils  reqinn  abroad  range  of 
technkal  sUlla.  A  ttCT  component  of  plannlr^  la  determining  the 
knowledge,  skills,  and  abilitiea  needed  to  perfbrm  the  IS  aodiL  Buch 
needs  aie  then  compared  wdh  ttie  audit  team  s  cunait  knowledge, 
skills,  and  abilities  to  identify  anv  expertise  tiiat  most  be  acquired. 
Anv  expeifiBe      can  be  tilled  through  hmng,  framing,  contracting, 
orstaffshaimg  The  knowledge,  skdls,  and  abilities  described  m  Ifais 
s^penits  are  not  intraided  to  be  prescriptive,  but  to  provide  a 
framewori!  to  assist  the  auditor  m  determmmg  the  audit  resoiirces 
needed  to  efiedivelf  perform  audU  procedures  m  an  IS  andib  In 
addition,  irtien  contracting  for  IS  audit  services,  this  framework  may 
be  used  as  resource  to  identify  the  specitic  knowledge.  sldDs,  and 
aodilies  tJiat  wdl  be  needed  to  perfomi  the  contracting  sersices 


tvpeofworkbeingpertomic.  .i   I  ■■■  ;.m.i',   al 

assignment."  The standarii'i  iiii.iii'i  ir.  i.ik  ini  .hvl-s 

aievlewoflnfonnaUoiisvs  ■.  iiir-.iii  ■i-.'.u  ri,\i,  i^ 

Biidii  engagement  snouid  cojic  il\  i'L\  ui'^st-v..  i.in  iv^  ji'^i^i'  I'l 
infomiallontecluioli^,"Thes('sKiin  jin>  "iteii  oc^unueu  in  icmis 
ofknowledge,  skills,  and  abilities  (KbAs  I.  hbAs  are  typically  used  In 
johposition  descrqitKHis  and  lob  announcements  to  describe  the 
aCtdbdtes  lequired  fOr  those  in  particular.iobs.  These  terms  are 
defined  as  follows 


Knowledge — tne  founuation  upon  whioh  skills  and  abilities  are  bmlt. 
Rnowledge  fe  an  organiaea  ooav  oi  inrormaoon,  laete,  principles,  or 
proceduTES  unai,  u  applied,  make  adEquaie  peifomtance  of  ajoli 
possible.  An  example  is  knowledge  of  lools  and  technii^KS  used  to 
esiabiish  logicai  access  canUol  over  an  Infointatlon  system, 

Skui— me  iiroflcieni  manual,  veifaal,  ormental  maidpidatlon  of 
people,  ideas,  or  things,  a  skiU  is  demonstralde  and  impbeB  a  degree 
□t  proficiencv.  For  exBnt)ie.  a  personmay  be  skilled  m  operaCmg  a 
peisonal  coioputer  to  prepare  ele^A^mle  5Dieadshe«t9  or  In  \iskig  a 
Bofliware  product  Lo  craiduct  an  antomated  review  oF  tike  mtegnly 
an  operaiuig  svsTeiu. 

li  to^y 

hll<  l^M<'ll".l'  ,11  '<  III    I.  ".  .  .11  .11  I  .1.1.  ,".  INI  III'  IIIL'  illlKllUFUIV  IM 


ing  both  oiBBy 

associated  SDecuicallv  witli  1^  audituie.  AlUioueli  eacn  staS  member 
assigned  to  such  an  audit  need  not  have  all  these  attributes,  the 
audit  team  must  collectively  possess  the  KSAs  necessary  to  peifOrm 
the  audit,  incloding  adequate^  plaonit^  the  audit,  assessing  ttie 
eCecbveness  of  IS  controls,  testing  IS  controls,  detemumng  the 
eCect  of  the  i«sults  of  testii^  oi  the  audit  obtectives,  developing 
findings  and  recommendalions,  and  reporting  the  results.  Audit 
resources       be  sqipiemented  &om  outside  the  orgaiuzation 
(htou^  partnering  or  et^aging  CO 


si 


As  labie  ^  shows,  some  acbvines  require  ahi^  degree  oi  IT 
knowledge,  skills,  and  abilities,  while  others  Involve  more  baste 

ineteiore  wani  to  otgantie  sraii  thar  nave  n^v  soeetalizen 

F4M7MMrjLI  KKIIIH  IflU)  a  SIFIIFLrFLII'  kEHhlir)  WtU  IVIS  tW.CI'St:  141 

puipose  computer  haidware  and  soltwaie,  A  group  oi  this  kuid  i 
focus  on  moie  technical  Issues,  while  other  groups  within  the 
□rgaiuzatiDn  can  perform  the  less  technical  worft. 


Appendix  VI  -  Scope  of  an  Information 
System  Controls  Audit  in  Support  of  a 
Financial  Audit 

Hus  appatdn  provides  a  framework  ior  asseaang  the  effectiveness 
of  infOmuiQQn  astern  contrate  aodils  In  suifiort  of  finance 
Btelementaiidils.  Given  the  prevalence  of  the  use  of  iniomiaOon 
Sjistems  lo  process  financial  mfomiation,  perfomnng  a  financial 
audit  generally  includes  an  assessment  of  the  effectiveness  of 
mfomialnai  ajatem  controla.  The  mfomialion^atem  controls  audit 
diouid  be  peilOinied  as  an  mlegral  pait  of  the  financial  auiSb 

Hus  appendu:  is  intended  lo  assist  (1)  financial  auditoisin 
comiDunlcatdng  audit  requirements  to  IScontnit  ^«clallsts,  and  (2) 
financial  auditors  and  IS  control  ^leciahsta  in  underslandinghowan 
assessment  of  the  effectiveness  of  la  controls  integrates  with 
financial  audit  requliemenrs. 

The  GovpmTneni  Accouniatiilitv  Office  (GAOl  and  the  President's 

n     n.     Fa  AudUMamial 
iT^A-vii  DrcsL'iusii  ini-'iiioaoio^v  lor  penomung  financial  statement 
auaiis  oi  leii^'ffLi  em  iiies  in  accoroance  wim  professional  standards- 
Fl<5  AM  esirtbea 
melliodoloav  for  iicrfonuind  Ihe  Ifj  controls  audit  in  the  context  of 


I  Related  FISCAM  Btep(s) 
AUDIT  PLANNING 


0  Idenlify  Significant  Cycles, 
Accounting  Applicalians, 
And  Financial  Management 


260  Identif:/ Risk  Factors 


Belated  Scope  of  the 
Information  ^isl^in 
Controls  Audit 
S  Understand  the  Entity's 


Networhs 
5  Identic  Key  Areas  of  Au 
Interest  l^tfs,  applicslJt 
systems,  locations) 
Assess  Infoimation  svst' 
Risk  on  a  Prelmunarv 


0  Determine  LikeUbood  of 


Idciitifv  C 


Planning  Procedun 


INTERNAL  CONTROL  TE6TIM6 


0  Overview  of  the  bilemal 


molTeslB  And  Of  Tests 


GiHitrols  Audit  Tests 

•  Undeistand  InfOmnation 
Systems  Relevant  to  the 
Audit  Ot|jectiT«s 

•  Identify  IS  Control 
Techniques  Relevant  to 
the  Audit  Objectives 

•  TestrrSjiBteniContnilB 


EEPOBTING  Tl 

I  Assess  Controls  On  A 

Pi^linunaiy  Ba^ 
)  Draft  Reports  -  Internal 


ATmrr  PLANNING 


IS  AndU  Reaonrceg 

Ab  discussed  in  FAM  Section  110.27,  the  audil  tvmn  ■ilmuU  \iussiyss 
sufficient  knowlei^  of  IS  cxmtrols  to  deteniiiiie  lite  effect  of  IT  on 
the  audit,  to  unileistand  IS  controls,  and  to  consult  wLili  aii  IS 


IS.  specialized  IS 
III'  iiiJiiiniT  in  which 


•    the  entity  uses  tnitrging  technologies;  ur 

In  some  cfiscB,  the  financial  auditor  may  consult  with  IS  controls 
Bpecialists  within  the  audit  oiganization  or  use  outside  contractors 

 ,  ,  Jditor 

should  have  gufflcient  knowledge  to  coinniunirate  the  objectives  of 
the  specialists'  work,  to  evaluate  whether  the  specified  procedures 
wiU  meet  the  audit  ohiectives,  and  to  evaluate  the  results  of  the 
procedures  as  they  relate  to  the  nature,  extent,  and  timing  of  further 
plaimed  audit  pioceduies. 

Appendix  V  of  the  FISGAM  provides  a  fraincwwkto  as^9t  Hie 
auditor  in  detemutung  the  audit  resources  needed  to  effectively 
perlbim  an  IS  controls  audit,  bi  addition,  when  contracting  for  IS 
systema  audit  services,  this  franieworit  may  be  used  as  aresource  to 
identic  the  spedCc  krroiriedge,  skills,  and  abilities  that  will  be 
needed  to  peifOnn  the  contracting  services  retpested.  Section 
2.I.B.D  "Audit  Resources"  in  Chapter  2  pnmdes  addiUimal 
informalion  on  the  use  of  IS  controls  ^>ecialists  in  a  OAOAS  audit. 


3S  IT-ralated  irAM  steps  and  me  related 


FAM  320.U  1  states  dtai  ine  audltoi  mint  obtain  an  undeistaiidlng  ot 
uie  entilj  anaits  enmoniDeitt,  mcludiiig  mtemal  control  to  assess 
ini!  riHK  i>i  rniu^iriiu  rnH^iJiiAMUi^ii.di  liiiMiriamiuu  suii^^iiiifriiH. 
WI1IFIIIITMIJIF 141  CTniror  iniiKi.  mm  ui  ucwuzn  uii;  ivujin?.  ifxumi,.  iiriri 
timing  ot  further  audit  procedures.  The  touoirtng  IT-related  MM 
sectlois  discuss  obtaining  an  undetstandu^  oi  the  entily's 


Dlanning  me  audit^incluiliiig  tlw  IT  atnictnre  and  ttie  extent  to 
wiiii^ii  11'  iinx^iwiiiikL  K  iieni  iniieu  i^xii^niHiiv  sum  us  itiniiuiii 
crosaeervtong  ^reemenis. 


znu.(ftr~iiKf  auiiiuir  tiinouK]  UDUun  huuiicifmL  ifikiwiiHiiaf  ni  uw, 
Infoimatlan  systems  relevant  to  financial  reporting  to 


mideisland  the  acccninting  proces^ng  from  MUfition  of  a 
bansactaonto  ils  mcluaonm  the  Iniancial  stalemenis,  ntcliidmg 
electroDic  means  used  to  trBnsmi^  process,  momtBin,  and  acces 
infonnatitai  (see  AU  319.49,  SAS  No.  94). 


Tbe  following  FISCAM  BecQiHH  (Cllapter  2)  provide  more  specific 
giUdance  on  how  the  auditor  obtains  an  undeistanding  of  flie 


undeistaiiiiiiLU  (jL  I.  I:  .snii  ss  inh.  -.■.i  S  andnetwoilfs,  Uieaudilors 
identjlication  oi  ki'\  ,ii  ims  ul  ainlil  inliTcstmcludeB: 


■    key  business  ['[;>'      a]>(ilKaliiiiis  :ii"Ld  where  each  key  busmess 
process  a|iplir,i(iiiiL  ls  inuivs-si'il. 

upon  which  application  lev^el  controls  depend. 

These  ilSCAM  sections  mclude  mfbmiation  related  to  the  15 
controls  audit  that  shoukl  be  mchidedm  audit  documentation.  Such 
Infoiniation  should  be  summaiized,  as  apprtjiriale,  in  the  entiQ? 
proHle  or  an  eqi^talent  document,  as  discussed  in  FAM  Section 
290.04.  However,  the  auditor  generally  should  document  tnCemal 
control  separately  as  discussed  below  and  m  FAM  390. 

Ide»llflrmiJ[P«BtorB 

FAM  Section  260.09  states  Oiat  the  auditor  sbould  (1)  Identuy 
dHkditions  that  significanfly  mcrease  inherent,  fraud,  and  control 
nsK  (.oaseu  on  menimea  concroi  environmem,  nsK  assessmem;, 
Cffliiraiiniciition,  or  monitoring  weaknesses)  md  (2)  conclude 


whellter  any  identiBed  control  nsks  preclude  the  eSecbveness  of 
specilic  cmliol  activities  m  agmficant  apiAications.  Hie  aaditor 
dtould  Mlenti^  SDecifii;  mtiei^  nsks,  fiaiHl  nsks.  and  control 
environment,  nsk  aasesament,  conimiuucanon,  and  monitoring 
weaknesses  based  on  intonnanon  obtained  m  the  planning  phase, 
pnmardv  from  understanding  the  entitv  s  operations,  including 
sigmticaiiL  IT  processing  performed  outside  the  enuty  and 
prehnunaiy  analytical  procedures.  SAS  No.  70  reports,  whidi  are 
discussed  l\irther  In  FAM  310  and  In  Appendli:  Vn.  may  be  prepared 
by  service  auditors  fOr  orgamzations  perfomuDg  significant  IT 
proceaamg  for  the  entity.  Hie  auditor  may  find  these  reporB  uaefUl 
lOr  peifonnliw  risk  assessments  and  planning  other  audit 
procedures.  The  auditor  fdioukl  iqidate  the  nsk  assessment 
throughout  the  BiuhL 

FAM  section  260.^  slates  that  IS  controls  do  not  aBect  the  audit 
oloectives  for  an  account  or  a  cycle.  However.  IS  controls  can 
introduce  inherent  risk  fectora  not  present  m  a  manual  accountu^ 
system.  The  FAH  section  states  that  the  auditor  ^ould  assess  the 
overall  impact  of  IS  processing  on  mherrait  nsk.  Ihe  impact  of  these 
Actors  t^icaHy  win  be  pervasive  m  nature.  An  IS  ccntrols  specialist 
mav  assist  ihe  auditor  in  constdering  niese  factois  and  making  this 


on  a  Frelimmaiy  Basis  provides  more  specific  gmdance  ou  how  ihe 
auditor  identiGps  IS  nsk  f^mherent  and  the  control  environnienl^  nsk 
assessment,  cotiuiitnijcation,  and  nwnitoilngctntqwnentsot  Internal 


conttol).  Also,  the  fISCAM  sec&oi  2,l.e.B  ent 
the  Kish:  of  Fraud"  {sondes  moie  specific  guidance  concerning 
identiGcatHHt  of  the  nsk  of  fraud  ansing  from  TT.  including 
coordinatkai  between  the  Dnandal  auditor  and  the  IS  controls 
!(>eclallst  In  addMon.  the  FISCAM  sectlon2.6.1  -Addldonal  IS  Bisk 
FactoiB"  provides  more  risk  factors  fbr  the  auditor  to  consder. 
F^irther.  FISCAM^pendixVII  provides  more  information  en  the 
ose  of  SAS  70  reports. 

niese  nSCAM  secliDiis  mclude  infbrmation  that  stiOuld  be  included 
m  audit  dociimentatKm.  hi  addition,  such  mformationshoiild  be 

as  appropilate.  in  the  GRA  or  equtvalent  document  as 
  ■.iiISIII.  iii.'ludiiin: 

•  the  assessments  of  overaU  inherent  risk  and  the  risk  taetots 
considered  m  the  aa?essmeiii,  ana 

•  the  assessmenisoftne  overall  piipciivpiifss  01  meconiroi 
environment,  nsk  assessmcnT.  I'omnmfiiuau'm,  ami  momionng. 
mchidmg  whether  an  ineiiof-iivi'  '-niirn>i  I'liviiniinienr  precludes 
the  effectiveness  of  spei'iiir  n  ■iiii.il  m  m  kl^'- 

IW^I.-  l.lk^Hhnnrt  nf  Ftl.-,  1 ,■  IS  I  .,„l.,.i~ 


Igor  the  rehabditv  i 
of  information  processed  ov 
user  control  is  not  an  IS  con 


in  ine  financial  audit  DlanmngDhase.  me  audiior,  wlBi  the 
assistance  oi  an  i»  control  specialst  snouU  aetemune  iriieiti^  IS 
cmtrols  are  bkeiv  lo  be  eneclicQ  ana  dunla  uierefore  be 
coiiaiaered  in  the  miemal  ctaitroi  phase.  Hie  auditor  may 
coordinate  worK  done  to  meet  the  provtslons  of  FISMA  with  vatK 
iiriri4i  jis  ii:in,  oi  i.iii'  iiiriiirijii  Kifn^iiieiii.aiiMii,. 

nil'  iinuiiiiinis  iiiirrimiKui  tu  doLunninii  mi^  iikiHinuoii  uiuinictivu 
i»  controls  tniOd  on  tttose  procedures  peifoimed  while 
nnaerstanding  the  entities  i^ieramns  ana  assessing  ine  eftecls  ot  IS 
coDtrob  on  inherent  Rsk  and  ttie  control  oiyiromuenl,  rf^ 
assessment,  comnttinlciitlon,  and  nMHdioilng,  under  SAS  No.  i09. 
uie  auditor  fdiouid  suIGciaitly  understand  eacn  ot  Hie  five 
mini  Humify  oi  iniiFmui  i^iiii.niE   rmii.roi  i!nvin)niniFni,.  nKK 
]i!44iwiii(>iii.  iniimiiaucin  unii  finrriiiiiinirjiunri.  iiinniuinrikL  ami 
contiDi  actlvlUes— to  assess  ute  ilsk  of  material  mlsstatemeai.  This 
iiiinpif;iaimiii];i^iiiMim  iiii^iimp  ivKrvaiii.  in  nnneriA. 


identification  of  critical  control  points],  the  auditor  slmiild  identify 
those  other  IS  controls  (general  and  busiiiei^  [noress  ajjiilirauon 
contTOlsl  upon  which  the  efifectJveness  uj  tni' tonlniis  in  iiic  aix 
d^ienit.  Hiese  octier  l»  controls  also  need  to  lie  ettective  tor  ine 
^teofic  ciffllrols  in  the  St;E  to  he  effective.  HSCAM  Aonendices  n 
and  m  tanbe  iiseQ  to  aocument  sucn  controls. 

IB  controls  can  oe  clasEiQea  into  three  types: 

•    general  controls  -  tJAiiAS  aefines  mioimation  systems  general 
controls  as  tne  pcilcies  and  procedures  that       to  all  or  a 
iBi^  segment  ot  an  entity's  mformanon  systems,  (ieneral 
<^oni,ixiK  IHME}  eiiKiire  iiie  imiwrmipnuKui  i>i  iiiMiniiauoii 


fgotons  tor  creating  the  envitoiiment  fat  pir^r  q>eiatlai  of 
application  controls.  General  controls  include  secim^ 
nian^ement.  logrcal  and  physical  access,  configuration 

h    ^  1        nn  '■rif^* 

»     f    ed  oi;,busu  ess  process 
a,nl,<,h,  as  Ihose  cnnlroLs  Hat  arc  iiirorporalpd  directly  into 


B  thev  are  likelv  lo  be  elledive.  llie  auditor  should  consider  specific 
IS  controls  in  detemuiuiio  whether  control  otijectives  are  achieved 
In  the  Internal  control  phase.  As  discussed  inSASNo.  109.54, 
evahiatuig  the  design  of  a  control  involves  considering  whether  the 
control,  individually  or  in  comhination  with  iMlier  controls,  is 
capable  of  effectively  preventtng,  detecting,  and  correctii^  mateiial 


If  IS  conttcOs  are  not  liRet;  to  be  effedive,  the  auditor,  wlQi  the 
assistance  ofthe  IS  ramlrolsspeciahst,  Should  obltunasufficieiit 
nnderslanduig  of  control  Ttabsansmg&om  IS  conlrola  to 

•  identiOr  types  of  potential  misstatments, 

•  consider  lOclois  tliat  aSect  the  nslis  of  material  imsstatemfflb 

•  design  tealB  tif  cootrols  and  substantive  procednres.  and 

•  develop  appropriate  findnu^. 


IS  controls  to  obt 
both  the  desw  iu 
level  of  the  nsku 


•  Idenli^  cnticfd  control  points  (fbr  example,  extemfd  access 
pomts  to  netwwka)  -  2. 1,7 

•  ObtalnapceliminaiyunderalandingoflnfOnnationsjiStem 
controls -2.1,8 

Hiese  nSCAM  EeclHHis  mclude  information  that  snould  be  mchided 
in  audit  documentatiao,  bi  addition  to  this  audit  docum^tatlon,  as 
discussed  in  PAM  Section  290,  the  auditor  snoold  document 
tentative  craidusions  on  tfae  likelihood  that  IT  controls  and  aag 
compensatlr^  controls  such  as  manual  controls,  reviews,  or 


Hie  FISCAH  section  ii,  1,9  iKOnaes  aaditionEil  mfomiatioii 
c^iiir(^rnink!inif  KiiKiwiriu  [}umriiiu:si4f[}s  iii  un;  icM't minus  lumn,  iiifiL 
HiiiMiiii  rxHi(Kir(]in]ii4fM  wii.n  im;  iimmcTii  luiciii. 

•  Belevani  laws  and  i^ubUons — this  sectton  proviaes  moie 
SDeciGc  guioance  mi  now  the  auditor  identifies  significant  IT 
niifiiifu  i>nivisii}iis  ni  iiiwsaiiM  n'miiauorisanu  snniiiu  ih' 
m-rfonniHt  In  twnllniillon  with  FAM  BiitHon 

•  uonsiaeraaon  ot  tjie  nsK  oi  traud— as  discussed  aoove.  this 
wi-ijDii  onivuies  iiiiin' Hiifi-iiii- uiiiiiaiiiw  on  iio»  uif  aiiiiiiiir 
liliMil.mi's  till'  riNk  i>r  rniiil  iiiisliii:  fniiii  ]'r.  1ii''IiiiIImi! 
eoordiiiatirai  bptuppii  thp  riiiari,-Lil  .niidilnr .nifl  llie  IS  r-nntmls 
sncrnii^i.  aim  ■■  r  ■(!  in  !■  ii.ni'in  «  ■  mi 


tor  IS  controls,  and  should  he  perrorined  in  oooifliriallon  wilh 
liAMfScclionnnWi, 

^  ioiiiiiiiiiiicuuion  Willi  I'm  II V  iiiJiiuiL^i'iiiL'tii  iiiiii  i.iicisi'  i'iuielii'ii  wiiii 
goveniance — mis  secnon  uroviae  s  more  suecinc  guioance  on 
conunuttlcatiag  relevant  ir-rciaiea  inionnauon  wiui  enatv 
management  ana  tnose  chaigea  mtn  governance,  ana  diouia  tie 
performed  m  coordinatuHi  with  t  AM  aection  £1d. 
aervice  oiganiiationa — this  section  proviaes  mpre  spedfic 
guidance  on  the  auditor  s  consiaeiatlon  oiia  controls,  signiflcani 
lo  me  la  amuL  that  ar«  performed  bv  a  service  organizBtion.  Hub 
U4jii<i  isoisciusixl  luruier  m  (MiuiiidiK  vii  -Kniiiv  s  Usv  or 
service  Organizations'.  THs  secnon  snoiua  be  perfbrmed  in 
cootdlnatirai  viOi  FAM  310. 

Ifemgine  worKoiotnera — this  section  provideeniwe  specific 
guidance  on  now  flie  auditor  prepares  tees  me  work  oi  ottiers  m 
peiforiiiliig  cne  la  conttois  audit,  and  snould  be  peifcinned  in 
coordiiiatiai  with  FAM  secliDB  650. 


•  Audn  plan— this  sectum  provides  more  specific  gmdance  on  how 
the  auditor  prepares  an  audit  plan  and  strategy  for  performing 
the  IS  controls  audit,  and  should  be  performed  m  coordinalion 
with  FAM  section  m 

Also  the  EISCAM  provides  mcHe  specific  guidance  oa  how  tbe 
auditor  documents  the  plannit^  of  the  IS  controls  audU.  and  should 
be  perfonned  In  cooidlnationwith  FAM  Section  290. 


IMTEBNAI.  CONTRffl.  TESTINB 


In  general.  Fa  a 
assessing  thf  cl 
FAM  Sections]  I 


uerl^  de^signtfd  and  placed  in  operation 
svel  of  control  nsk.  the  auditor  m  a 
lot  elect  to  forgo  control  testa  solely 
to  eiOend  con^illance  iuid  sutistantlve 


The  toiiowmg  sie  lae  types  ot  controls  lested  in  a  Enanosi  audit: 

•  iiiiiuii-Lii  iviiniiiiiiii-DiitiiiiFKiiu^iuiiiiici-tfriniiiKiifainiriiiicanii 
budget  contjois  i  lor  each  s^iiificani  assertion  m  eacn  signiAcanL 
cvciejiiccounting  iippllcation  ( idetttified  in  secllim 

•  compliance  controls  tor  eacn  significant  proviSKm  ot  lans  and 
regulations  iidentifiedm  section  245 1,  including  budget;  controls 
for  each  relevant  budget  restriction  (identified  in  section  250), 


In  Ihe  mtetnal  control  phase  of  a  financial  anM.  Che  auditor  should 
peribrm  and  document  the  fbllowmg  procedures: 

•    Undetsland  the  entity's  information  sj'stemB  for  fmancial 


differs  from  deterrninii^  a  control's  operating  effecttveness,  iriilch 
is  concerned  with  how  the  control  was  fq^illed,  the  consistency  with 
i«hich  it  was  ^Bed,  and  bj  i^kTsn.  Oainine  an  uDderstaitding  of  the 
design  of  internal  control  does  not  require  that  the  aiidilor  obtain 


As  disoBsed  in  FAM  Sectksi  310. 1 1,  the  auditor  should  obtain  an 
understanding  of  internal  control  for  FT  and  other  bumness 
processing  peifonoed  outside  the  entity  under  a  service  i^ieemenC 
or  other  contract  arrangonenls  for  assesfdng  risk  andlilanning  other 
audit  procedures.  The  auditor  may  obtain  tl^  understanding  by 
performingwork  directly  at  the  service  o^ani^tion  or  by  using  &AS 


No.  70  tepoHs  liiat  include  these  intenial  controls  as  discnssed  in 
AU324.06^2L 

For  each  potential  weakness,  consider  the  intact  of  conipensadi^ 
controls  or  other  fictors  (tixt  mitigate  or  reduce  the  risks  related  to 
potential  weaknesses. 

Hie  tOllowli^  sections  summarize  FAM  audit  steps  related  to  the 
tesUiig  of  taiformation  ^'stem  conCtols.  The  auditor  should 
coiUdinate  these  steps  wnb  the  related  ETSCAM  steps. 

IJnilwslmiil  laformmlKlil  Smtomii 

FAM  Scdioii  SIO  stales  ihal  llie  aiiriitor  iira.v  ii^e  .iii  K  ,-0[l(to1s 


FAM  Seclioii  SIQ  c-rjiitmiies  llial  the  aiidiun  should  cjhiainaii 

egnf    n  ini         n  n^iu    i    n  n  1      g  hjse  1  aling 

withRSSll: 

•  The  manner  in  which  tiansacflons  are  initiated: 

•  The  nature  and  type  of  records,  loumals,  ledgers,  and  source 
documents,  and  Uie  accounts  involved: 


•  The  piTicessiiig  involved  the  nnbatiiM  of  liansachonsM 
Iheir  mctusion  m  the  financial  atatemenlG,  mcluding  the  nature 
of  coitqiuter  Gles  and  the  manner  m  iriuch  th^are  accessed, 
updated,  and  deleted;  and 

•  The  process  used  to  prepare  the  entiivs  tinancial  statements  and 
budget  mfofmation,  mchiding  significant  accounting  estimates, 
disdosares.  and  corr^raterized  processing. 

FAM  Section  ;}20.03  stales  that  fOr  eadi  fdgnUlcant  cvcle  and 
accounting  ^iiAcation  identified  for  significant  hue  items  and 
assertions  in  FAM  240  pnduding  those  deaBr«  with  SSS)  tlie 
auditor  should  obtain  an  undeistanding  of  and  should  doeumeiit 
among  other  tnm^.  pioccsscs  used  lo  Dicparc  ihc  entity  s  financial 
1  1   0  tmg 


lOiunal  entries  in  the  general  ledger 

•  procedures  used  to  lecoM  recurring  and  nonrecurm^ 
adjustments  to  the  financial  statements: 

.    procedures  used  to  combine  and  consolidate  general  ledger  data; 

•  Closing  process,  inchiduig  manual  and  automated  procedures, 
inr  iiipnaiinc  iiie  iiiwicial  statements  and  related  disclosures. 

The  FISUAM  section  entitled  -Undetstand  Information  SvstenB 
Relevant  to  the  Audit  Obiectives"  included  in  section  2.2  provides 
more  specific  guidance  on  how  ilie  auaiior  obtains  an  unaeistandmg 
of  Informalion  systems.  This  HSlAM  seaioii  mrliides  infomimion 
that  Should  be  mcluded  m  audit  doainientation.  As  discussed  m 
FAM  Section  aW.  the  auditor  must  document  the  understanding 
gained  of  each  con?ionent  of  intenial  control,  including  the 
mfoimalion  system.  The  auditor  should  prepare  suffictent 
documentation  to  clearly  descnbe  the  accountmgayatem.  For  each 
signiiicam  cycle,  the  auditorsnould  prepare  a  cycle  memorandum 
or  equivalent.  Also,  the  auditor  generallv  snouliJ  prepare  an 
lllustrath^  lloivcliart  of  ttie  cvcle  and  con^tonent  accounting 
qSihCBtionCs).  FlowchBrtG  provide  a  good  mechanism  to  document 
me  process  anqtne  now  01  transacngns  mroogn  me  siysiem. 


However,  tbe  auiMor  should  avoid  eiOteme  detail,  n4dch  makes  the 
charts  confiising  and  hard  to  loiiow,  Conines  systems,  particularl; 
those  mvotping  IT.  msf  be  difGcolim  undersland'wilhout  a 
flowchart.  To  flie  extem  required  as  described  above,  the  auditor 
^tould  use  the  tbllonlng  do 


IdemtMy  BelevMit  Control  Oblectlves 

FAM  Section  330  discusses  the  identificaiio' 


siiwiwii.  iKiiiiii'Si  niii^ 

•  compliance  controls, 

•  budget  controls,  and 

•  reii.'viiiii.i.iDeniLKinscoiiiniw. 

As  discussed  in  FAM  Sertiun  4y5A.21,  if  the  rcliabilily  uf  inlcmiilly- 
geneiated  data  used  in  the  substantive  anaiylical  procedures  is 

auditor  should  test,  as  appropnate,  (1)  the  relevant  general  controls 
and  the  ^lecific  business  process  ^jplicaljon  level  c<hiIzo1s  over  the 
data  and/or  (2)  the  data  inthe  Kjxjrl. 

The  FISCAM  section  Identn^  B  Control  Techniques  That  are 
Relevant  to  the  Aodit  Objectives''  included  in  section  22  provides 
more  ^lecitk  guidance  on  how  the  auditor  Identifies  relevant  IS 
control  activiCies,  Ihis  F1SCAM  section  includes  information  that 


^lould  be  included  in  audit  docontenMion.  In  addiliDti  to  such 
documenlation,  as  discussed  id  FAM  sections  3B0  and  39SH.  the 
auditor  documents  relevant  control  obiecttceB  In  the  SCB  form  or 
equivaleni  documeniauon.  Baaed  on  audi  ctailrols  and  the  audit 
planning  oroceuures  imrticulaily  the  identUmtion  of  ciltlail 
control  points  I.  the  auditor  should  identi^  those  ottier  IS  craitrols 
Igenerai.  business  process  ^plication,  interbce,  and  data 
nian^ement  avsiem  controls)  upon  wnich  the  controls  in  the  SCE 
depend.  FISCAM  j^^ndlces  H  and  HI  can  be  used  to  document 
such  controls. 


Idaatift  KftlftvMit  rontrol  Activities 

AsdiscussH 

iinK;i!uun>siH'  1  ■  


more  eBecUve  than  ronuola  that  accept  Banaactions  tiiat  fall  within 
a  broader  range  ol  values.  On  tlie  other  hand,  controls  based  on 
exception  reports  that  are  lumted  to  selected  infbnnation  or  use 


mote  selective  cntem  may  be  more  eSective  than  lengthy  lepotts 
that  contain  excessive  mf  oimalion. 

The  FISCAM  section  "tdentiOr  m  Control  Technliiues  That  are 
Relevant  to  ine  Audit  Olgectives'  provideBmore  ^leciCc  guidance 
□n  how  the  aiidiior  identiGes  relevant  IS  controls. 

Hie  FISCAM  IS  organized  in  a  Hierarchical  struclurc  to  assiBl  ine 
auditor  In  pertomiii^  me  iscojuc"]?  iumn  i  riiiDUi  iiiaenerai 
cootrobiandiJh^ner^imi'.icLi  .irTi  ■  ih'ji  ji'vci 

controlsicontBmseveralcojiii.  ■  hvii:--  ■..  im  ii  .n.' ^loiimnis  o 
relaied  controls  pertatimiE  [()  ■.im.i.ii  !■  -  ■  '.■i.        I'di  i'iicii  mmroi 


If  siUlicieiit,  the  auditor  should  deteiiiiiiie  wheUier  die  control 
"""■n—"ps  — e  implemented  (placed  in  operauonjand  are  operating 
effectiveiv.  Also,  the  aud^r  should  evaluate  the  nature  and  extent 
ui  U54Liiii(iiei»brTnedl^the  entity.  Such  infwniation  can  asist  in 


identiQ^  kev  centrals  and  m  asseasu^  nsl^  buiihe  auditor  Eliodld 
not  rely  on  testuigperfomtedbv  lite  entity  In  heu  of  apprapnate 
Budilor testing.  IFme contToltechniipiesunpienientedbvIhe enlity, 
89  deigned,  are  not  siitQdent  a>  address  flie  control  activlOr,  or  Oie 
piemented  as  designed,  the 
i  controls  and  llie  aodit 


TUB  FISCAH  section  Includes  intormation  tMt  sliould  oe  Included 
m  audit  documentation,  m  addiiion  10  ihis  documcniaiion,  as 
discussed  m  FAM  Sections  iiau  ana  juaii,  ine  auditor  documenls 
relevant  cootrote  In  the  SCE  form  or  enuix-alem  docutnentatton. 
Baaed  on  such  controls  and  the  audit  nianiung  nrocedures 
(particulBrlv  the  identification  01  cniicai  coniroi  Domes  1.  me  auditor 
^louididentjiymoseomeri:^  conirois  [geneiai.  busmEss  process 
^^ilication,  Intecfece,  and  data  iTuiiiaaemeni  svsiein  controls  j  upon 
which  the  controls  in  the  SCE  depend.  FISCAM  Aopendices  H  and 


•  document  these  control  activllles  in  the  m;E  worksheet  or 
equiialeia  (FAM  350.  l(r}. 

•  detennmethenatureatcontrolleBts(FAM3B0.ii-.i8). 

•  detennlne  the  extent  of  control  tests  (FAM  360.1El-,20),  and 
>   determine  the  timing  of  control  tests  (FAM  350.21). 

As  discussed  in  FAM  Sectkai  360,  £br  each  control  ohiectire 
identified  m  FAM  330.  file  auditor  should  IdentlCr  ttie  control 
admit,  or  combination  of  control  activities,  that  B  hkely  10 1 1) 
BciuevB  uiB  cunuui  otiiBcuvB  una  (ii;  unprovB  UK  emcieiuj  01 
control  tests.  In  doing  this,  the  auditor  should  consider  (1)  the 
extent  of  any  inherei^  ri^  and  control  enpiroiunenl^  risk 


assessment,  conuiimucfitiDn,  or  mntiibning  weaknesses,  including 
those  related  to  la  controls  (as  documented  in  the  ABA  anO/or  audit 
strategy  dcxnuoenl^  or  equicHlent  (see  FAM  260)),  and  (2)  the 
tenlaUre  detemdnalioo  of  the  likelihood  tiiat  IS  controls  will  be 
effective,  as  detennlned  in  ttie  planning  phase  (see  FAM  2T0). 
Hie  auditor  generally  should  test  ciily  the  control  activities 
necessary  to  achieve  the  ohlective. 

If.  In  any  phase  of  the  audit,  the  auditor  deteimlnes  that  control 
actmties  selected  for  teEtmg  are,  in  &ct^  ine&ective  in  design  or 
operation,  the  auditor  diould  disconliniie  the  specific  control 
evaluation  of  the  related  conCntI  objectives  and  should  report  the 
idenbGed  weaknesses  m  internal  control  as  discussed  in  FAM  680. 
Ttas  would  include  situations  where  the  control  activities  are  not 
effective  m  design  or  operation  due  to  ineffective  IS  controls.  If  the 
entity's  management  does  not  ^tee  with  the  audtlor'g  conclusion 
that  effective  control  activities  do  not  esisl  or  are  unlikely  to  exist. 


10  the  critical  control  pomts.  For  example,  it  the  IS  control  is  Oie 
review  of  an  exception  report,  the  auditor  should  identic  and  te 
me  Dusmess  process  ^pucaoon  conirois  tureciiy  reiaiea  ro  me 


If  controls  are  not  eBective.  see  FAM  moT  andFAM  360.09. 
II  IS  generally  moie  efOcieni  lorme  fuidiioi  to  test  is  controls  on  a 
mm'M  r>]iMts.  sum.iriM  wiiii  i.iiif  ku^iiiFnu  {^iinin}iK]ii,  mi}  imuivwHn;  lUKi 
system  levels,  roiioweo  ra  me  geneial  controls  at  ine  bii^ness 
process  appucaUot  km.  and  concluding  vMi  tests  oibu^ness 
nroceas  ^miicatmi-  mter^p-  aDddBlBinBnagpmpntH^/stem 
controls  ai  the  business  nrocess  ^Ihation  levei.  aiicn  a  tesUr^ 
4r!ii4'iiv  ii>!iv  III'  iisifii  rH.friuLHi'  iiii.fiii'C'imf  mi'oriiritihi  at  I'at^i  iii^r 
generally  preclude  effective  controls  at  the  subsequent  Uer. 


I'liri'iiti'iv  ciesiiuii'41.  iiiiiiiL'iiii'iiieii.  jirin  oiii'miiiit!  nieriivi'iv  nv 
•    iikiiiiivinidiir>iiiiciir>iif  k!i'ni'riii  I'fiiimiis: 

■  deiermlnlngriowiriosecontcoistliTiciiOB.aitdwiietheruieynave 

been  placed  In  i^iatlo:^  and 
»   tivaiiiHiiiik:  !iii4i  ii'Siinu  iiii'  i'ifl'i'iivi'iii'ss  iii  in^Miiciiiiih'ii  ('<iiimiis. 


lleaudlto 
knowledge 


iiiiise  coiiiniiH  ii:sii'ii.  oiiiTUiiiUiis  iiiiniiirii. 

Tests  Of  Oenenl  Uoutrols  at  tbe  EutMynlde  and  System 

l,l^V<-lH 

The  auditor  inai'  test  general  controls  through  a  combination  ol 


jiiin  i''i»L<rMiiiii!iiii'c<  iisiiikiaiiiihiiiiijjKi  m?ii  sciiiwun^  /^ii.niiiiiui 
sampung  is  generally  not  used  to  teat  general  controls,  the  auditor 
may  use  sampling  to  test  cert^  controls,  such  as  those  tnvoh*^ 
^iprovals. 

If  general  conlioia  are  not  etfectirely  designed  and  operating  as 
intended,  the  auditor  will  generally  be  unable  to  obtain  sattsthction 
that  UlicatiDn  controls  are  efEeCtive.  hi  such  instances,  the  auditor 
dtould  (1)  determine  aoddocnmerrt  the  nature  aDd  extent  of  risks 


resulting  from  inefiedive  general  controls  ana  @  I  identic  and 
any  manual  controls  thai  achieie  me  control  obieclives  Itiattne  i» 
controls  m  ttie  SCE  of  equivalent  documeni  were  m  achieve. 

However,  if  manual  controls  do  not  achieve  the  control  objectives, 
the  auditor,  with  IS  controls  specialist  assistance,  should  detennine 
wui'iiLi'i  liiiv  siicxMiir  ij^i^nniroLS  um  iii'smwAt  m  iu^nii'vif  uic 
ohiectivea.  u:  not.  ine  aiidiioranouid  develop  appropriate  findmgs 
principally  CO  piovide  tecommendaUatis  to  Improve  Inteinal  control. 
It  specific  If)  controls  are  designed  to  achieve  me  obiecbves,  but  are 
m  &ct  metfeclive  beranse  of  poor  general  controls.  lesOng  would 
^picaUy  not  be  necessaiy.  except  to  support  flndb^. 

TgbIb  oTGeDenl  Controls  at  the  Uusiness  I'roress 
Appllcatioa  Lerei 


Tests  nTBnsinefis  Process  ^pHeatiOB  ContKds  ind  user 

The  auditor,  with  IS  controls  specialist  assistance,  generally  should 
perfomi  tests  of  tiiose  business  process  appUcatmn  controls 

nijuijuii'ihriii  svsiriM  coitiKiisi.  nitci  MsiN'c^kitiioL^  [m:<:4'ss:u'v  iii 
achieve  the  contro]  ol^jectives  where  the  enUQ'wide,  system,  and 
afjiUcation-level  general  controls  were  determined  to  be  effective. 


As  discdssed  ki  FAH  Sectiim  360, 13,  the  aodiCot  Should  test 
segi^ation  of  duties  in  the  situations  described  in  FAH  330.08.  Tbe 
auditor  maf  use  the  following  procedures  to  test  segregaCion-of- 
duUes  controls: 

a.  tdenti()r  the  assets  to  be  contralled  through     s^iegation  of 

b.  Identify  the  individuals  who  have  aothorized  access  (direct  or 
indirect)  to  the  assets.  Direct  access  ensls  when  ttie 
Individual  is  authorized  lo  handle  the  assets  directly  (such  as 
during  the  processing  of  cash  receipts).  Indirect  access  eiislB 
vrtien  the  individual  is  authorized  to  prepare  documents  that 
cause  the  release  or  iraiisfer  of  assets  (such  as  preparing  the 
necessary  forms  to  request  a  cash  disbursement  or  tranter  of 
inventory). 

c.  r<ir  (^juTn  Individual  wllii  ;inlhc]rl/.i'u  fkii'I'ss  in  ils-scIh. 
determine  whemer  mete  are  sufHeieni  assei  access  conuols. 
Asset  access  controls  are  those  controls  that  are  designed  to 


rcceiiiLSiuaviiisio  iH'          .i  .iti.   ■    i.^i.   i: 

i«coids. 

Suchapeisoninaybema  DOSLiir'iL  I'j  m.ihLuiLj.iLL'  iik'  .u  luiliiijii!; 
records  to  conceal  a  shortage  m  uie  oa.*!!  acoouin,  umess  anomer 
individual  reviews  all  accounting  entries  maae  land  mosecnat 
dtould  have  been  made)  hv  that  persm.  In  an  FT  accounting  system, 
access  to  assets  ftequently  provides  access  to  records.  For  esan^. 


geneiabon  of  a  dieck  may  automatical]!'  lecotd  a  related  accountiiig 
enby.  In  such  drcumslances,  a  lack  of  asset  access  controls  would 
result  m  modequote  segregation  of  dnde^  and  the  auditor  should 
determine  whether  olher  contiols  would  miligate  flie  etfecls  of  this 
lack  of  asset  access  control 

nie  FISCAM  section  Test  Infonnation  Systm  ContiDls' Included  In 
section  2.2  provides  more  ^leoilic  guidance  on  how  the  auditor  tests 
reievani  IS  control  techniques.  This  FISCAM  section  includes 
iniamiaUon  that  should  he  included  in  audit  documentation.  In 
adoiuon.  FihiCAM  Chaptera  3  and  4  provide  general  conliols  and 
business  process  ^pUcatJon  level  controls  consistent  with  0A6AS 
categones.  In  addition,  ^ipendices  II  and  HI       be  used  to 
docunieni  the  results  of  the  IS  controls  audit  tests. 


If  the  auditor  and  the  la  controls  speaahst  determine  that  IS 
conools  are  e&ective,  the  auditor  may  also  ask  the  IS  controls 
gpenabst  lo  idenlf^  any  la  conlrolB  within  the  ^ipbcaJiona  tested 
thai  were  not  previously  identified  Iff  the  aiidilOT  using  the  above 
procedures.  For  example,  sucn  IS  controls  id^t  achieve  control 
□biectives  noc  otherwise  achieved  throng  manoal  controls  or  imghi 
be  more  efflcaent  or  effective  to  test  than  raaniial  controls.  The  IS 
controls  scecialist  may  asSst  flie  auditor  m  determlnii^  the 
etildency  and  effectiveness  of  seatchh^  for  and  testing  additional 
IS  controls.  The  auditor  ^iriuld  document  these  decisions,  mciuding 
a  descrqilion  of  the  eiqiected  scope  of  the  IS  controls  SDeoahst  s 


Hie  auditor  and  tike  IS  controls  ^cialistanoiua  woriE  together  n 
document  the  procedures  for  evuhiating  and  tEstn^  the 
etfectlveness  of  IS  controls  and  the  results  of  this  work. 


ftiidii:  Results"  providES  more 

es  estsof 
.  11^  riiifiyiaudii.  More  soecincally. 


■ 

1  =  1 

Appendix  VII  -  Entity's  Use  of  Service 
Organizations 


It  an  oiganiziidon  uses  a  service  Drgfrnization,  intomiatiDn  and 
mfoimauon  uiocessing  aie  sutilected  to  controls  that  may  be 
physically  and  operationallv  removed fromme  user  organization, 
uonseqiienuv,  an  enti^  miemal  control  mav  mciude  controls  that 
are  not  directly  administered  by  the  user  organlzatimi,  but  rather  bv 
the  service  organization.  For  this  reason,  to  obt^  an  understanding 
of  IS  conlrolB,  the  auditor  of  the  user  organization  (the  user  auditor) 


deteimiiie  tlie  significance  of  die  service  oiganization's  controls  to 
uie  userorganization&inierTiHl  control  and  to  Uie  audit  objectives. 
Factois  that  may  aSecr,  Sie  steniflcance  to  the  audit  or  asetvlce 
organization'B  controls  nictude  me  following: 

«  iTii^  milling  anil  rriintTuuiKV/Huznii  iivini^^oi  i.rii'  i,nnis;u:ii(iriKt»r 
Intonnation  affected  by  ine  seivice  organkatkn 


■    UK  uiusi!.<:ui  iiaTisLiutiun3mttieenutY'scip«iaticiiis(liatai« 

•  Hie  UK>cedui«£.  ooui  aucoraated  and  manual,  by  nfalcn  the 
entin's  transactums  are  mitaaled,  recorded,  processed,  and 
reported,  from  uieir  occunsnce  to  uieir  mchision  m  the  financu 


■  'lut;  rtFiJui'M  ]ir<iuijriiink:  rifcortbs  (wri4ii.ni'r<iii'rmMit(:  or  iniiriirui. 

.HiiDnitn.inu  iiiKinniLiion.  >imi  mi;i-MV  iici-mmi^  in  uu;  iiii:iiicif]i 

xiiiij^tiu^tiiK  iiivoivi'n  ui  iiuiiiiiiuiit,  ii<i'i>iiiuu'..  nii>i'<rHHUi(!.  ami 

iPHoniiu'.  iiic  I'liijLv x  ij;iii»iiirijoii!j 
•  Haw  flieenticv  siiitonnalionsracemcaiitutesomer  events  and 

conditions  Ituit  are  significant  to  tne  financial  statements 
10  niiiitii;iiii  niniiniiiK  iirintsis  uswi  lu 


a  me  iHerandniir  determmea  that  the  service  o^anization  s 
connols  are  significant  to  the  user  organization's  miemal  control, 
and  wiewn  the  context  of  the  audit  oblecBres.  the  user  auditor 
snouiQ  sain  a  suincient  understandmg  or  those  controls  to  assess 
n^k  ;mii  man  t  lu' mum .  ^ncn  controls  mclnde  [  i  I  user  controls  ana 
eioilii]  KjcLiruls  []  u  I  ilviiiented  by  *e  user  entity  to  monitor  the 


contractual  secunty  reqiuiements. 
service  level  agreements. 


•    ii:ccipt  and  an^ly^is  of  service  organizatkBi  reports, 

«    addilional  testing  requested  of  the  service  auditor  or  performed 


otgantotion.  IT  additional  information  about  service  bureau  controls 
IS  stdl  needed,  me  auoitor  mav  contact  me  service  organization, 
through  tbe  user  aitity.  far  additional  intormBlion. 

The  user  aoditor  sliould  obtain  a  Eufflaent  understanding  of  internal 
conttol  to  evahiate  the  efiectiveness  of  the  design  of  contiob 
relevant  to  ttte  audit  otSeclives  and  deieimine  wheflier  they  hare 
been  implemented.  In  snne  instances,  the  naer  enbtv  may  have 
effective  contiTd3  over  the  service  oiganization.  hi  such  cases, 
evidence  about  flie  t5)eiadng  effectiveness  of  internal  control  can  be 
obtamed  frnn  the  user  entity.  However,  m  other  cases,  the  controls 
are  ^qihed  only  at  the  service  oisamzatioiL 


aim  ;i.virsHiM 


iiioiic  iKiiioi  uKjviuc  iiuii'ouiiiii'.'iiiiiiiK.'viiii.'iK.i'  ni  im 

relevBnL  Bsaertion  leveL  For  lederal  Gnancial  audils,  OMB  requires 
audiiors  ot  lederal  &ianciai  statemeDtE  lo  teat  thoee  cmtiois  tnat 
are  eSedtveiy  deseed. 

10  ouuiin  miintionu  iiurjujunaif  tviininti!  awjui  mv  orxiriiiirm 
euectiveness  ot  service  o^aiuzation  controls,  me  auditor  mav 
denermme  that  11  IB  aopropnaie  lo  use  aservice  auditors  lepoK.  in 
such  instances,  tne  imdiior  snouid  deieimine  wheiner  the  service 
aiidiiors  report  la  auffiaeni  to  meet  me  audit  objectives-  For 
financial  audiis.  the  auditore  considerationG  are  discussed  at  Au 
643  CPart  of  Audit  Feitonned  by  Other  Independent  Audlt<ssl  In 
some  instances,  Ote  user  auditor  may  determine  mat  it  is  necessary 
and  ^)propn!ite  lo  siq^ement  me  service  auditor  report  bv 
disciissuig  It  wim  the  service  audnor,  bv  requesting  the  service 
amniorto  perform  ^reeo-upon  orocedureSr  orbvperfomiing 
urocedures  at  me  service  organization,  m  aodilion.  m  some 
instances,  me  user  auditor  mav  request  me  service  auditor  to 
perform  lesia  or  data  niamtamed  bv  tne  service  o^anizations.  Anv 
such  lequesis  oi  the  service  auditor  should  be  coordmated  through 
ine  user  and  service  organizations. 


A  sendee  andiCot  iwptcn^e  a  service  oiganizalioii  with  cne  of 
tm>  Q[pes  <tf  EAS  TO  reports; 


Type  lis  a  report  on  flie  design  and  fti^jlemenlalion  of  controls 
(placed  In  opeiatkHi)  at  a  service  oisanlzatlon,  but  does  not 
include  leatmg  of  the  (veralmg  effecbvenese  of  controls.  Ihis 
mfonnabon,  m  coiyuaction  wilh  other  mf  omiation  about  a  user 
organization  s  intern^  control,  may  as^  die  user  auditor  In 
obtaining  an  undeistanding  of  the  leer  organization's  mlemal 
control.  A  tvpe  1  report  is  luttmleaded  to  provide  a  basis  fbr  the 

include  control  testli^  to  determine  whether  the  controls  are 


.  Type21aareportonlhr.k.i.:ii  i  Imdlrols 

(Jilaced  in  operation)  III!  ri  on  ilr  ii  <i|  ■-.mi.  i..  (  m.-iu'^s  hi;\ 
tjTW2  engagement,  thf '51 '11  ic:  ■.iiilr..i  iinluiiiis  iln.  piw.'dui-cs 
requited  tor  a  IVDelengiiiii'i^L.'iii  iii^.l  iiKri  i>ci  lunii^  ti.'sis  of 

achieiTiig  the  sopolied  ronttol  objeorives.  The  service  auditor 

the  reader  to  a  description  of  tests  of  operative  effectiveness 
performed  by  a  service  auditor.  The  report  states  wiietber,  m  the 
opinion  of  the  service  auditor,  the  controls  tested  were  opeiatii* 
with  sufficient  effectiveness  to  provide  reasonal>le,  but  not 

achieved  during  the  period  speciSed  If  a  service  oi^anizatiDa  s 
controls  that  aSect  a  user  oieanization  s  financial  statements  are 
operating  mlh  sufBoent  effectiveness  to  adueve  the  related 
iHHitJol  obiectives,  a  user  auditor  may  be  able  to  use  the  t^e  2 
report  as  evidence  of  control  effectiveness,  reduce  their 
assessment  of  risk  for  certain  financial  statement  asserCoos 
affected  by  the  service  oiganizabon's  service,  and  reduce  the 
esteat  of  substantive  procedures  performed  for  those  assertions. 

The  nature,  timing,  and  extent  of  the  tests  of  tqierating  eflecSveness 
are  also  affected  by  the  period  covered  by  the  report  Tests  of 
operating  effSdiveness  may  provide  evidence  that  niD  enable  the 
service  auditor  to  report  on  Ote  entire  period  covered  by  8ie  report 
To  be  usefiil  to  user  auditors,  the  report  ordinarily  should  cover  the 


lepoituie  penod  oi  tiie  user  oigancauon.  He 
reoort  M  be  received  fn  time  for  the  comolel 


assessment  B*en  cunsideniig  tne  nature  ana       oi  ocner 

Bulletin  07-04,  as  revised,  AvdU  Reouiremeals  for  Federal 
FittamMStaiemaita,  purs.  6-i6-io  states  mat  service  organizations 
njufj  either  pTDviae  ds  user  organizatiDns  wun  an  audit  report  on 
whether  u » Intemal  controls  were  designed  propeily  K)  achieve 
specified  obieelives  and  placed  into  operation  as  or  a  specified  date 
and  ( 2 )  tne  controls  that  were  t«stea  were  operating  efi^clivelf  to 
provide  reasonable  assurance  that  the  related  control  oblectlves 
mm)  iiu'i  iiiirinif.  i.nc  ditkiii  hih'i'iiii'ci  iirjiiiniv  iisiir  fmimipofs  iii 
[H'liniiM  juxinkirriiLM'  ii'hih  ni  rniiiiois  jm  iitrssrivK'i'  oiiuuti^iLiiMi.  ii 

csiji]sif}vii:iTL  iMi;  Hi^rvK'if  orv!iiir/.;iiiiMi  is  n'srHiiisioiif  lor  nnjui'siiiik! 
or  obtaining  appropriate  auoit  coverage,  Mich  audit  reports  shouiii 
be  submitted  to  i»er  organisations  withm  a  reasonable  time  but  no 
later  aunt  Septaaber  aOio  allow  die  audiior  ra  tne  user 


oisaidzation  to  use  the  audit  repott  dioiiig  the  audit  of  Oie  user 
oisaidzaOon's  finandal  statements.  ^ 


In  addition,  tlie  "ImplementaSon  Guide  for  OME  Circular  A-123, 
Man^ement's  ResporLsibtlity  for  Internal  Control  Appendix  A, 
bitemal  Control  over  Financial  Feporting,'  issued  by  the  Chief 
Financial  Omrer'a  Coiuidl  (July  20«S|  provides  giUdanee  tor 


hi  floriinoiL  mSI  ^fF  nuu-j  r  riLscus,^,es  ailoiLioiial  steps  eniiiv 
man^emeni  shoula  implement  with  respeci  to  eontiaelois.  such  as 
an  Int«rc(BineclKm  Secunt¥  Agreemait  <ISA]  and  a  Memorandum  of 
UnderalBndmg  (MOU).  Hie  ISA  specifies  the  technical  and  secunly 


reguitemeMs  of  the  intercomiectlon,  and  the  MOU  defines  the 
leqmnsitillities  of  the  paiQcipating  oigaiiBations, 

SAS  70  reporla  do  tiol  include  contii^ency  planning  controls,  as 
auditing  standards  (AU  324)  do  not  apply  to  internal  control 
deficienciCB  that  affect  processiitg  in  future  periods.  However, 
service  auditinrs  can  be  requested  tur  perform  procedures  to  teethe 
effectiveneas  of  contingency  planning  controls  and  report  flte 
results  of  SDch  testing  to  service  oiganlzationinanag^aent,  who 

in  torn  disclose  the  irdbrmation  and  plane  to  correct 
defidendes  in  the  section  of  the  SAS  70  rqiort  titled  "Other 
Infmnation  Provided  by  the  Service  Otganlzatlon.'' 

HieFlSGAMconbe  used  as  abasis  for  performingBSAS  70  audits 
nslng  tlie  ctmtrol  ol^lectives  discussed  In  Chapter  1. 


Appendix  VIII  -  Application  of  FISCAM  to 
Single  Audits- 


]uiiiiii(]ii;li  iniouMfjiion. 

Single  Audits  include  opinions  on  Ihe  enliti'  s  fuiancial  slateraents, 
tnifiHC7iiMiiJH>  i}i  ifxin^iiMihurifH  ni  iifuimii  iiwiinis.  jinii  uif  liiinv  s 
comiilUince  vMx  laws,  x^ulaClons,  and  the  provisions  oi  contracts 
or  grani  agreanails  Dertammg  to  leaeral  Bwarfa  that  may  have  a 
direcc  ana  material  effect  «i  each  OI  lis  m^orpFograms  ireferredm 


eitam  audit  procedures  relataigto  mtemal 
Dortmg  m  relanon  LD  the  BucfaL  OI  the 
[lie  sdiedule    eicpmdlnres,  in  addition, 
lUiii  AiKiiL  Hiioiiiii  iHiiiiin  wKieiicu  aiii.iiii  mo 


and  financial  teportiiig  is  an  iiifOnnabcn  sysMns  (IS )  omtim  An 
controls  ^aahst  generally  should  renew  and  concur  with  the 
audii  leaniB  identification  oi  IS  c<HilToIs,  porticulariv  WEl3i  FEspect  Lo 
whemer  an  la  mnirois  were  oroperiy  laentified  as  aucn. 


K  whemer  la  cxmtrois  are  1 1 


production  of  the  exception  report,  as  well  as  the  general  and  other 
buaness  process  ^plication  controls  upon  which  the  rehabifatv  of 
me  mformahon  in  the  excepticn  report  dependSr  including  the 


proper  funcboiut^  (d  the  business  process  application  that 
generated  the  era^eption  lepoit  and  the  isbabilily  of  the  data  used  to 
generate  the  exception  report.  In  addition,  the  auditor  snouid  test 
the  eSecUveriesB  of  flie  iiser  control       maragement  review  and 
folowtp  cn  the  items  in  the  exceution  import). 


TTie  tOllown^  sections  address  the  Biidii  procedures  that  snpuM  be 
qqdied  in  a  ^ngle  Audit  mth  respect  to  controls  oca  CI] 
ctmpBance  requirements  and  (^)  financial  reporting. 


Internal  Control  over  Compliance  Requirements 


When  Internal  contiol  over  compliance  legilisments  for  a  malra 
prt^iam  Is  Inettecttve  In  prev^ning  or  detecting  noncon^illance 
(either  m  design  or  operation),  the  auditor  snouid  report  a 
^gnlficant  deficiency  (Including  niielher  any  sucn  condition  Is  a 
mateilal  weakness),  assess  the  related  control  ilsk  at  die  mmdmum. 
and  determine  whether  Lo  ^plyfiirtherBUdiL  procedures  to  test 
compliance  based  on  IneKectlve  internal  control. 


For  eatii  relevaiu  type  oi  compliance  reqfiuanent. 
ileteiiiiine'ii]«iib&  uie  relevant  control  obiectiees  isee  the 
iji}iiiiiii]iruHf:iMiir}iiFiniFiii,i. 

For  each  retevanl  control  oUiective,  idenlliy  the  internal  control 
iifrrmi4iiiifcsMi<isikrnifM/iiM[>i4frrH'nFHi  [tv  iiic  crLiiiv  the 
olittcHvii. 

Delermine  whether  such  control  techniques  iirc  cffoclivcly 
dcsigni^i  lo  iifhicvf  Ihf  rcliitri  ranlrol  olijoi  iivrts)™id  if  so, 
mg 


-  i'ur  eaciY  coniroj  umi  is  mecuveiy  uebigiieu  umi  uupibiiv^iutid 
^ilaced  in  (^eiatkn),  the  aoditor  should  detemiine  nfiether  it  is 
effectively  operating.  The  auditor  can  use  fits  F18CAH  to 
determine  whether  IS  controis  are  effectivdy  opeiatii^.  As 

should  test  IliP  efr«'liifTH'.s.siif: 

which  the  effectiveness  of  specific  IH  conliol  depends.  ' 

When  the  auditor  assesses  control  risk  below  the  maxiramu  level, 
the  auditor  should  obtain  sufficient  evidential  matter  to  support  that 

source,  its  timeliness,  and  the  existence  of  other  evidential  matter 
lelated  to  the  conctusioiis  to  which  it  leads  all  bear  on  tlie  degree  id 
assurance  the  evidential  roattec  provides. 

Based  on  the  tests  trf  controls,  the  auditor  should  draw  conclusions 
on  the  assessed  level  of  control  risk.  The  audiloi  should  also 
cODSidertheiiitiactontheassessmem  of  mtern;i]  cuntrols  of  any 
exceptions  noted  as  part  of  the  audit  prooediires  apiilied  lotp^i 
coufbrrnancewithcorEqiliBncerequiremenls.  The  assessnieni  of  (he 
eCectiveness  of  internal  control  over  compliance  in  preventing  or 
detecting  noncompliance  is  detennined  tn  relation  to  each 
individual  t^pe  of  compliance  lequirementfor  each  m^jor  program 


or  b>  an  audit  obiecbve  identiCed  in  the  Conqiliance  SiQ^iment 
(e.g..  controls  over  mjilieinents  foi  eligibility). 

Itie  auditor  should  detennlne  whether  any  delldendes  In  IS 
coDtrola  represeai  material  weaknesses  or  aigoificBni  deficiencies. 
Hie  tbllowmg  definitions  are  providedm  Ihe  draft  reports  on  A-133 
provided  bv  theAICPA™: 


than  a  temote  likelihood  that  malerial  iioiieompliaiice  with  a 
lape  of  conqiliaiice  reqinrement  of  afederal  program  will  not 
be  prevented  or  deiecied  brthe  enb^s  imemal  controL 


Hie  otiiectives  of  mtetnal  conttolpetbiiiiingto  the  con^liaiice 
lequliemenls  lOr  Federal  programs  are  as  follows: 

(1)  Tl'ansactlons  are  properiy  nconied  and  accounted  for  to; 


E^eral  report^ 
<ii)  Mainlam  accountabiliQF  over  assets;  and 
(M)  Demonstrale  compliance  with  laws,  regulationa,  and 


(2)  Transactuma  are  executed  m  con^iliance  with^ 

G)  Laws,  regulations,  and  tite  pionsions  of  contracts  or  grant 
agreemenlG  that  coold  have  a  direct  and  material  effect  cm  a 
Federal  program;  and 

<u)  Any  oQier  laws  and  regulations  that  are  identified  m  the 

(3)  Rmds,  proper^,  and  other  assets  aie  safeguarded  against  loss 


The  charactertstks  of  Intenial  control  In  Part  6  of  the  ComplUince 
^7?p£e}n^t  are  presented  m  the  context  of  the  components  of 


t ).  miblished  by  Che  CommlUee  of 
(11  i.iti'  ir<f]jiiway  Commission.  These 

aDdantsfor  Internal  Omu 
ol!).'"  Part  6  describes 
aiigto  each  oflhefive 


.sijui^iiii^iiis  wnifiihTdiii'  ini!rn>i  or  truju.  mm  i<H]i?;ikUMitLi  luiiun'. 
timing,  and  extent  oi  futthet  audit  Dioceouies.  This  includes 
peifOmdng  risk  assessmwi  piocedures  to  evaluaie  the  de^gn  ot 
coDtrols  relevant  n>aD  audit  oifinanci^slatemenls  and  to 
deteimlne  whether  they  have  been  Inipiemenied.  hi  obtaining  this 
undeistandlng,  me  aiuUioi  consldeis  bow  an  entlO>^  use  ot 
mformabon  technology  (IT)  and  mBnuaiprcxxdures  aJT«ct  c<hiiioIs 
relevmt  to  the  audit  Hie  FISCAM  <an  be  used  to  as^  the  auditor 
in  obtaintng  an  jmderetandii^  or  internal  controls  relevant  lo  tne 
financial  EtaiemenlG  and  sdtedule  or  expenditures  oriederol 


in  addition,  trtientne  auduorhas  aetemunedthat  it  enot  possible 
or  practicable  to  reduce  me  detection  risk  ai  me  reltevani  asserOor 


level  to  an  acceptably  low  level  with  audit  evidence  obtained  only 
Itoin  substantive  procedures,  the  auditor  should  perform  tests  of 

eHecUvene  F 
deEdgnett 


Hie  F13GAM  can  be  lEed  to  assess  the  etTecUveness  of  the  design 
and  operation  of  InfOrniahon  svstem  coniroie  as  part  of  the  flnandal 
audits  of  the  financial  atat^nents  and  schedule  of  expenditures  of 
federal  awaids. 


Appendix  IX  -  Application  of  FISCAM  to 
FISMA 

llip  FiHCAM  niay  Of  ijsi-d  a*  a  basL^  fnt  ilif  iiiiiepfiKipiii  evaliation 
of  □  federal  aaencys  iiifonnaiion  securily  proaram  lequiied  by  Ihe 
Federal  Infoimation  Sctiiiily  Managcraeiit  Act  (nSMA),  nSMA 
requires  Uiat  each  year  each  ^ency  shall  have  petTomied  an 
independent  evaluation  of  the  infomiBtion  security  program  and 
practices  of  that  agents  U>  detemmie  lite  efiectivenesa  of  such 
pn^ram  and  pnict3ce&  Indep^tdent  evaluations  of  non-national- 
Eecurity  systeias  are  to  be  perf«ined  by  liie  agency^  Inspector 
General,  or  by  an  independent  external  auditor  diosen  iQi  the  D^,  if 
smy,  or  igrthe  bead  of  the  agency,  if  there  Is  no  agenqr  IG. 
Evaluations  related  loneHonal  securi^systemB  are  lo  be  performed 
only  IQF  an  entUy  detignaled  iQi  the  agency  head. 

Bach  evaluation  shall  include: 

•  lestangoflheeffeclivenessofinfonnabonsecnntvpolicies. 
procedures,  and  practices  of  a  representative  subset  ilf  the 
agency  s  mfoimation  systems: 

•  an  assessment  (made  on  the  basis  of  tjie  tesulrs  of  tjie  testing)  of 


compliance  with  the  requirements  of  FISMA  and  related 


Although  FISM 

hispcctois  r„'ii 
FlfiCAM  llic 


The  FISCAM  was  designed  as  a  tisk-based  methodoloa'  lo  assess 
Ihe  effectiveness  of  an  entity  s  infoimaUon  svstem  controls.  It  can 
also  be  used  to  provide  a  reasonable  ba^  for  detemilning  whether 
mfonuation  security  is  effective,  and  identifying  information 


secuiily  st!«i^ths  and  weaknesses  as  a  ba^  iOr  Oiat  detennlnation. 
The  nSCAM  conCrol  activities  ate  cottslstent  with  NET  guidance  In 
N1SFSP80I>63  (see  Appendix  IV].  All  controls  in  NIST  SPSOftfiS 
have  been  m^jped  FISCAM. 

Hie  following  selected  topics,  which  supplement  the  methodology 
(Including  the  plaiinir^  lesling,  anii  reporting  iiliases)  and  controls 
discussed  in  Chapteis  1-4,  may  provide  useful  supplemental 
guidance  to  assist  the  auditor  in  applying  tlie  FISCAM  to  meet  the 
evaluation  (tesdng  and  asse5stnent>i«qulienients  of  FISIfU; 

•  selecting  a  tepiesentatlve  subset  of  system^ 


Selwtin;  a  rentBsenlaliw  aibfiet  of  systems 

Hie  concept  of  a  representative  subset  of  ^stems  was  intotded  to 
prDvide  the  evaluator  (the  party  peifoimlng  the  independent 
evaluation)  with  a  reasonal^  baras  for  Qvir  evaluBtion.  The 
evaluator  uses  professional  judgment  to  identic  a  snfGcient  scope 
of  systems  teiitlng  to  constitute  a  lepresentattre  subset  of 
end^s  sjistems  with  the  expectation  that  it  would  be  represeDtative 
of  an  of  the  entity's  systems  covered  by  FISMA,  in  all  s^nificant 
respects.  The  evaluator  may  supplement  systems  tested  fOr  other 
purposes  (e.g^  Gnancial  audits)  with  additional  systems  necessary 
to  obtainarepresentBtiveaubseL  Alternatively,  tike  evaluator  also 
maj'  select  a  representative  subset  of  Eg^stems  for  purposes  of  the 
FISMA  evaluation  and  supplement  it  with  additional  sfHtema 
necessary  to  perform  the  Gnancia]  audit  or  other  audits. 


•  different  types  ot  applications  (e,g.,  financial  management, 
operations)  operated  by  the  s^ency 

•  m^or  processing  locatkms 


general  and  busmess  process  conuois 
coverage  of  the  FISCAM  control  areas 
contractor  aiiii  oilier  nnn-enlilv  syslpni 
PIEMA  ramiK'iuiTiK 


IndeterminJ 


strategy.  Also. 
^gnMcant  aeti 
10  irn^oiiniiiv  i 


iiiiiiiior  sill  Mill]  roMsiiiiT  i.iii'  iiiiic'IH'iiiil'Iicn'  unci  l)i»n'i'iiviiv  hi  i.m*' 
peisons  perfoimmg  uie  tesOng  on  oenau  oi  ilie  aaenCT,  u  sacn  oinei 
parties  me  consUleied  InaeDendeni.  Che  auditor  imiy  oetemiliie  tliat 
inewoTK  or  me  other  parlies  canbe  uaedassiqiportrortne 
evaluation  wittioiii;  i«testii%  Hie  less  independent  or  ot^ectlre  uie 
other  patties' wodc  is,  ttw  less  flte  auditor  can  use  the  work  of  the 
omerpar^  without  reteatn^  me  other  parlies^  wodt.  n  the  otner 
parties  are  not  independent,  tne  anditor  should  not  use  sucn  work 
as  a  substitute  tor  their  own  testing.  Mhough  GAGAS  is  not 
nfiiiiinfii  Ni  [x^aniMK^]  iii  iiu}  namn  (w;iiiiiiii(iii.  sum  suuiiianls 
provide  guidance  tai  consldeilng  independence  thai  is  consistent 
with  other  discussions  oi  lnd^«iidence  m  piotes^oniil  liCeiatuie. 
Also,  tne  auditor  mav  eiect  to  perform  tne  FlSMAevahiauon  using 
ijAGAS.  UAiiAS  independence  requirements  ate  discussed  bi 
GAGAS  3.2O3.30. 


The  Beporting  phase  discutsed  In  Ch^ler2  deEcdbesbow  to 
evaluate  (he  resulls  or  Ihe  Ipsls  of  conlrok  iaid  conclude  as  to  their 
effectiveness.  As  wait  of  eraLuatiiia  the  results  of  the  tealSni!  tor 
audits  used  to  as  a  basis  lor  the  FiSMA  evahiatioiiB,  the  evtiluaKff 
should  dpieniune  v,heiiier  Finv  weaknesses  IdentUled,  IndMdually 
or  coLectivelv.  reuiesent  Fl!i\L\  sisiiificant  deficiencies  as  that  teim 
is  used  in  F]a\L\  ( sec '  Rflaled  Rcuortiiis;  Responsibilities"  In 

Chayle.  i  C.„  I.  r,  .,,„N,,.ii,,u„.,  HSM       ;  tendesto 

report  anvsit^uiictihi  aeiicieiicies  ii'i^sM-i  sianiiicaitt  deficiennea) 


A  I  ri  tfeeuvenessof  infomiationsecuriCi' 

controls,  tne  evaluaior  niav  perform  audit  procedures  to  aetemune 
wheiher  mfoiniaiion  used  in  management  reporTS  orused  to  support 
FlsMA  reportme  to  0MB  is  consistenl  with  the  results  of  the  testing 
they  performed.  More  Bpedficii%,  for  eadi  ^Btem  tested,  the 
evahiator  m^  con^are  the  results  of  testing  irilli  related 
inloimatlon  Included  In  man^^ement  and  FISMA  reports.  For 
exan^e.tfkeevaluatoriiiajr  compare  evidence  obtained  about  the 
effectiveness  of  a  siFStem  s  certiQcatirai  and  accreditation  tvith 
inloimatlon  Included  In  man^^enient  and  FISMA  reports  to 
ijetenronewhelherauchreportmg  was  accurate  (e.g.,  whether  a 
certification  and  accreditatiDn  was  efC»ctivelj'completed>  If,  uithis 
dicumstance.  a  certification  and  accieditation  was  completed  and 
was  reported  as  such  m  management  and  FISMA.  reports,  but  the 
eealuators  testing  revealed  that  it  was  not  prc^eri;  performed,  the 


evaluaCor  should  coiiEddet  ttiis  deficiency  in  management's  coiUtols 
over  roonltoilng  In  their  evaluation  of  the  lesults  of  testing  and 
determine  whettier  there  are  ^stemic  reasons  for  the  deficiency. 

For  addhlonal  guidance  on  performing  FISMA  epatuations,  refer  to 
ttie  PCIE  FISMA  I^Bmeworii. 


Appendix  X  -  Information  System  Controls 
Audit  Documentation 


Planning  Phase 

The  audilor  should  document  the  following  mformation  developed 
tn  the  planning  ^lh:^^~l■^ 

audit,  a  description  of  how  such  objectives  support  Ihe  overall 
.  The  scope  of  the  IS  controls  audit. 

•  The  auditor's  understanding  of  the  aitily's  operailonB  and  key 

biKinfsi  prrieesses,  inohidlng,  to  the  e^eni  relevant  tn  the  audit 


and  software  module  inteiaeUon; 

SigniGcant  goteral  sniqwrt  ^istemB  and  m^or  ^pGciUions 

thatsuppoit  each  key  process; 

Bac^round  intbrmBtion  request,  if  used; 

SgniGcant  internal  and  external  ffictors  that  could  affect  the 

IS  controls  audit  objectives; 

Deta3«d  organization  chart,  particularly  the  IT  -.iriA  the  IS 
corrqxmen^ 

Sgniflcant  changes  In  the  IT  envltonmeni/archlteclure  or 
significant  ^plications  ingilemented  within  the  past  2  years 
or  planned  within  the  next  2  years;  and 


Jttiviiv.  remote  processing), 
is  tor  plaiming  the  IS  controls 


oud^Dr  should  document  all  access  paths  m  and  out  of  tjiekev 
ai«as  of  audil  mierest 
•  Fxloia  that  fdgnlflcaiitl]'  increase  or  decrease  IS  risk  and  theii 
potential  unpad  on  the  effectiveness  of  mformation  svstem 
controls.  For  each  risk  identitied.  the  auditor  should  document 

Oiattl  k  ini  If  S]      r     r  f  m   I        r  |  er- I    n    V  (   i  f 

.  fteliminarv  assessmtnt  of  IS  risks  related  U>  the  kev  areas  of 
audit  interest  and  the  basis  for  the  assessed  risk.  For  each  risk 
identified,  the  auditor  should  document  the  nature  and  extent  of 
the  rislq  the  conditJoiLS  that  gave  rise  to  that  nsk:  and  the  specific 
inlbimation  or  operations  affected  (if  not  pervasive!.  The  auditor 
should  also  docimient  other  considerations  that  mav  rmli^te  the 

■  Ctaical  control  points. 

I  Aprehmmarv  undei'slaiiaDia  ol  the  entiiv  s  IS  controls,  mcluding 
lite  orEanjzatjon.  slafTlng.  responsibuities.  inilhonties.  and 
reaoorces  of  the  entitv  s  secuntv  raanagenicnt  tunction.  The 
auditor  should  mclude  the  folkiwing  mformation  m  the 
documentation  of  their  prellmlnaiy  undeislauiing  of  llie  design 
of  IS  contmle.  to  the  extent  relevant  to  the  audit  obicctives: 
•  IdaiUOcation  of  enli^^rtde  level  controls  (and  appropnate 
^stem  level  conttds)  des^ned  to  achieve  the  control  adivines 
fOr  eadi  ctltica]  etemenC  within  each  gen^  control  area  and  a 
determinalion  of  vriiether  they  are  deagned  effectively  and 


mipiemedted  iiilaced  m  opetatlonh  mcmdingidaiCiScatHn 


itiiiiiin.  uj'siHrciiiiiL^'M  svsuriiLS  lj^sli  111:1^.1:..  iMiiiiiuiJi.iuii  ii^i^. 
dieaster  iscoeerv  lesls.  ana  appiicabon-^wciBc  tests  1 
performed  durmg  tlie  last  vean 

•  ManBgemencs  plans  at  action  and  mileatones.  or  their 
isiUTvuioni.  mill.  Kirni.ip/  i'orrraM.ivi>  fu^i.Kiiis  iiuuiiiuu  to  iHBiri'JSU 
known  IS  conuoi  weiiknesses; 

•  riiJiiMS  ni  i.ni'  onor  vifiirs  iiiKiii.  iinoiikkrs: 

•  DocutnetitaUon  lor  any  ^gnlflcant  compiuer  sectttliv  related 
iiii'kJi^iilH  KJPiiUlied  luid  it-iiiiilwl  lor  l.lie  liiHl  vMlr 

•  Dacumemed  security  plan^ 

•  DocinnoiiednskBSsessnienisiorreiecBDtsvslenisie.g.. 
general  sippoit  systeros  and  m^or  Explications  1: 

«  [^upwiiii  tKiFLiiirauori  luiu  luic^nfuiuiuori  iionirriiinviiiori  or 

eqidralent  lor  relevant  systans 
«  DocuDioitea  iHBmess  contumitr  or  operations  plans  and 

disaster  recoreiy  plana;  and 

•  AdesciQitionoitheentily^iBeoftlHrdiHutvITservices 

•  iiuicvum:  mws  aiiu  rcgimuuns  anu  uiou'  ivutiuii  lu  uic  man 
oyecttvea,  Including  doeumentatJon  of  any  consullalion  with 
legal  coimseL 

•  Descr^tkai  of  Che  auditor's  procedures  tu  consider  the  risk  of 
fraud,  any  fraud  osk  Actors  that  the  auditor  believes  could  a^ect 
flie  audit  olyectivea,  and  planned  audit  procedures  to  detect  any 
fraud  s^nificant  to  the  aodit  otaecHves. 

•  Audit  resources  planned. 


objectives  ana  aiiv 
such  conirais  i  e.a., 
If  e 


The  auditor  should  document  the  foIlowiDg  infomiation  developed 
in  the  testing  phase: 

•  An  undeistanding  of  the  infbnnation  systems  thai  aie  lelevant  to 

obStiw-S."""^'    ^  ^  ^^i^''"" 

and  sy^iem  siil>lf«.|  (r.g.",  nslwork,  Operating  system. 
iiifi'ustmLluro  iipplicjilious),  a  description  of  control  techniques 
iispii  \iy  ilic         In  achieve  the  relevant  control  activities. 
.  RvlncI  iind  suIiIi  itI,  specific  tests  perfoimed,  including: 
«  it'Liioil  rJix'iriiieiiiatron  that  describes  the  nature,  tfniii^  and 

results,  output  of  tools  and  ri'Wci]  jiiial.ra'i); 
•  if  a  contKil  actM^  (s  not  acliievsKl,  aiiy  oonippnsaling  controls 
or  oUier  lactois  and  the  basis  for  deletnUning  whether  they 
are  effective 


the  sudiKir's  contlusions  about  the  etfeotiveness  of  the 
entity's  IS  controls  in  achieving  the  eontrol  activi^;  and 
for  each  wealfiiess,  whellier  the  weakness  te  a  tnaleiial 
weakness,  significant  deficiency,  or  just  a  defidency.  as  wen 
as  the  criteria,  condition,  cause,  and  effect  if  necessary  to 
achieve  the  audit  otjecttves. 


Hie  auditor  should  document  ttie  fononing  infbrmalion  developed 
in  flie  reporting  phase: 

•  Uie  audHoc's  conclusion  aboul  the  eflecUveneas  of  IS  controls 
On  relation  to  the  IS  controls  audit  objectives)  in  achieving  the 
cffliljol  categories,  critical  elements,  and  the  relevant  control 
activities  and  the  basis  for  the  conclusion,  including  the  Actors 
that  the  auditor  considered  in  making  Uie  determination. 

.  If  part  of  a  broader  audit,  the  impact  of  any  idenOlied  IS  control 
weaknesses  on  the  overall  audit  objectives. 

•  Copies  of  any  reports  or  written  communications  Issued  in 
coimection  with  the  audits  including  entky  management 
comments  related  to  such  report  and  communications. 

«  For  financial  BuditB  and  attestation  eDgagementG,  the  auditor's 
determination  of  whether  identiOed  weaknesses  represent 
material  weaknesses  or  dgniBcant  deflciendes,  and  die  ba^  tor 
the  auditor's  conclusions. 

•  Other  riocumenmUon  required  by  the  audit  oi^niiation's 

objectives  and  the  impact  on  the  audit. 

agency  corrective  actions  have  been  iitplemented,  based  on  risk 
and  a  tost  benefit  analysis,  to  suffidently  reiaediate  previously 

•  As  appropriate,  the  auditor's  consldeeUlons  and  detemilnaClons 
concemmg  FWIA.  FFMA.  and  otber  reporting  lespon^abOiljes. 
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